X-Git-Url: https://git.eyrie.org/?a=blobdiff_plain;f=plugin%2Fheimdal.c;fp=plugin%2Fheimdal.c;h=0ca38b42712cae200524801e40db29c5347ca06d;hb=5e17a82faf4997d2b69e8b7d3a87759569cc1fee;hp=b6bd54710fdc40bd0969e207cab17bf0ca2ab3b0;hpb=399c639c92b4c5f125ba09f47400f8ae39061a3c;p=kerberos%2Fkrb5-strength.git

diff --git a/plugin/heimdal.c b/plugin/heimdal.c
index b6bd547..0ca38b4 100644
--- a/plugin/heimdal.c
+++ b/plugin/heimdal.c
@@ -12,7 +12,7 @@
  * instead.
  *
  * Written by Russ Allbery <eagle@eyrie.org>
- * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020, 2023 Russ Allbery <eagle@eyrie.org>
  * Copyright 2009, 2013
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -61,8 +61,8 @@ convert_error(krb5_context ctx, krb5_error_code code, const char *prefix,
  */
 static int
 heimdal_pwcheck(krb5_context ctx, krb5_principal principal,
-                krb5_data *password, const char *tuning UNUSED, char *message,
-                size_t length)
+                krb5_data *password, const char *tuning UNUSED,
+                char *message, size_t length)
 {
     krb5_pwqual_moddata data = NULL;
     char *pastring;
@@ -99,6 +99,7 @@ heimdal_pwcheck(krb5_context ctx, krb5_principal principal,
         convert_error(ctx, code, NULL, message, length);
 
 done:
+    explicit_bzero(pastring, password->length);
     free(pastring);
     if (name != NULL)
         krb5_free_unparsed_name(ctx, name);