1 files changed, 11 insertions, 7 deletions

diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c
index 6ea7ea51..49a70ff3 100644
--- a/modules/pam_unix/unix_update.c
+++ b/modules/pam_unix/unix_update.c
@@ -32,14 +32,15 @@
 #include <security/_pam_macros.h>
 
 #include "passverify.h"
+#include "pam_inline.h"
 
 static int
 set_password(const char *forwho, const char *shadow, const char *remember)
 {
     struct passwd *pwd = NULL;
     int retval;
-    char pass[MAXPASS + 1];
-    char towhat[MAXPASS + 1];
+    char pass[PAM_MAX_RESP_SIZE + 1];
+    char towhat[PAM_MAX_RESP_SIZE + 1];
     int npass = 0;
     /* we don't care about number format errors because the helper
        should be called internally only */
@@ -49,20 +50,23 @@ set_password(const char *forwho, const char *shadow, const char *remember)
 
     /* read the password from stdin (a pipe from the pam_unix module) */
 
-    npass = read_passwords(STDIN_FILENO, 2, passwords);
+    npass = pam_read_passwords(STDIN_FILENO, 2, passwords);
 
     if (npass != 2) {	/* is it a valid password? */
       if (npass == 1) {
         helper_log_err(LOG_DEBUG, "no new password supplied");
-	memset(pass, '\0', MAXPASS);
+        pam_overwrite_array(pass);
       } else {
         helper_log_err(LOG_DEBUG, "no valid passwords supplied");
       }
       return PAM_AUTHTOK_ERR;
     }
 
-    if (lock_pwdf() != PAM_SUCCESS)
+    if (lock_pwdf() != PAM_SUCCESS) {
+	pam_overwrite_array(pass);
+	pam_overwrite_array(towhat);
 	return PAM_AUTHTOK_LOCK_BUSY;
+    }
 
     pwd = getpwnam(forwho);
 
@@ -97,8 +101,8 @@ set_password(const char *forwho, const char *shadow, const char *remember)
     }
 
 done:
-    memset(pass, '\0', MAXPASS);
-    memset(towhat, '\0', MAXPASS);
+    pam_overwrite_array(pass);
+    pam_overwrite_array(towhat);
 
     unlock_pwdf();