Small fix in NEW_AUTHTOK_REQD handling

There is a potential memory leak if the old password is saved multiple times. Furthermore, PAM_NEW_AUTHTOK_REQD is only allowed as a result of the authorisation phase, not the authentication phase so there is no use in checking.
author: Arthur de Jong <arthur@arthurdejong.org> 2013-08-18 19:18:55 +0200
committer: Arthur de Jong <arthur@arthurdejong.org> 2013-08-18 19:21:47 +0200
commit: 44a38eba72a454530a0b42425c860b949a5615fa (patch)
tree: 18b6bdff7b63967726e6c9e62d715f307d34ec2d
parent: d8637bb0a3079746b98548886f52bebf30588453 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pam/pam.c b/pam/pam.c
index 5976e6a..5898ae1 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -503,7 +503,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
   if (cfg.debug)
     pam_syslog(pamh, LOG_DEBUG, "authentication succeeded");
   /* if password change is required, save old password in context */
-  if ((resp.res == PAM_NEW_AUTHTOK_REQD) || (ctx->saved_authz.res == PAM_NEW_AUTHTOK_REQD))
+  if ((ctx->saved_authz.res == PAM_NEW_AUTHTOK_REQD) && (ctx->oldpassword == NULL))
     ctx->oldpassword = strdup(passwd);
   /* update caller's idea of the user name */
   if ((resp.msg[0] != '\0') && (strcmp(resp.msg, username) != 0))
author	Arthur de Jong <arthur@arthurdejong.org>	2013-08-18 19:18:55 +0200
committer	Arthur de Jong <arthur@arthurdejong.org>	2013-08-18 19:21:47 +0200
commit	44a38eba72a454530a0b42425c860b949a5615fa (patch)
tree	18b6bdff7b63967726e6c9e62d715f307d34ec2d
parent	d8637bb0a3079746b98548886f52bebf30588453 (diff)