From 6002ccec6b037f2370ddee42d64a6c4013d7faca Mon Sep 17 00:00:00 2001
From: Aaron Jones <aaronmdjones@gmail.com>
Date: Tue, 20 Dec 2016 17:29:37 +0000
Subject: [PATCH] mkpasswd: avoid strdup(NULL) and the like if rb_crypt() fails

---
 tools/mkpasswd.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/tools/mkpasswd.c b/tools/mkpasswd.c
index 57f73e4f..8b8c96c1 100644
--- a/tools/mkpasswd.c
+++ b/tools/mkpasswd.c
@@ -90,7 +90,7 @@ main(int argc, char *argv[])
 	int c;
 	char *saltpara = NULL;
 	char *salt;
-	char *hashed;
+	char *hashed, *hashed2;
 	int flag = 0;
 	int length = 0;		/* Not Set */
 	int rounds = 0;		/* Not set, since blowfish needs 4 by default, a side effect
@@ -194,10 +194,24 @@ main(int argc, char *argv[])
 	}
 	else
 	{
-		hashed = strdup(rb_crypt(getpass("plaintext: "), salt));
-		plaintext = getpass("again: ");
+		plaintext = getpass("plaintext: ");
+		hashed = rb_crypt(plaintext, salt);
+		if (!hashed)
+		{
+			fprintf(stderr, "rb_crypt() failed\n");
+			return 1;
+		}
+		hashed = strdup(hashed);
 
-		if (strcmp(rb_crypt(plaintext, salt), hashed) != 0)
+		plaintext = getpass("again: ");
+		hashed2 = rb_crypt(plaintext, salt);
+		if (!hashed2)
+		{
+			fprintf(stderr, "rb_crypt() failed\n");
+			return 1;
+		}
+
+		if (strcmp(hashed, hashed2) != 0)
 		{
 			fprintf(stderr, "Passwords do not match\n");
 			return 1;