[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
util-linux patch bug: too long password
Hi,
I'm mailing to you as to mainitainer of kernel international patches.
In current (2.4.0.1) crypto patch is patch for util-linux, containing this
lines:
+ case LO_CRYPT_FISH2:
+ case LO_CRYPT_BLOW:
+ case LO_CRYPT_IDEA:
+ case LO_CRYPT_CAST128:
+ pass = xgetpass(pfd, _("Password :"));
+ strncpy(passwdbuff+1,pass,PASSWDBUFFLEN-1);
+ passwdbuff[0] = 'A';
+ rmd160_hash_buffer(keybits,pass,strlen(pass));
+ rmd160_hash_buffer(keybits+HASHLENGTH,passwdbuff,strlen(pass)+1);
As you probably know, strncpy will not terminate copyied string with \0
when copying string of size PASSWDBUFFLEN-1. This may cause strlen(pass)
and rmd160_hash_buffer read after end of passwdbuff.
I thing this should fix it.
Martin
--- linux/Documentation/crypto/util-linux-2.10o.patch.orig Sun Jan 7 14:46:42 2001
+++ linux/Documentation/crypto/util-linux-2.10o.patch Sun Jan 7 18:20:19 2001
@@ -229,7 +229,8 @@
+ case LO_CRYPT_IDEA:
+ case LO_CRYPT_CAST128:
+ pass = xgetpass(pfd, _("Password :"));
-+ strncpy(passwdbuff+1,pass,PASSWDBUFFLEN-1);
++ strncpy(passwdbuff+1,pass,PASSWDBUFFLEN-2);
++ passwdbuff[PASSWDBUFFLEN-1]='\0';
+ passwdbuff[0] = 'A';
+ rmd160_hash_buffer(keybits,pass,strlen(pass));
+ rmd160_hash_buffer(keybits+HASHLENGTH,passwdbuff,strlen(pass)+1);
--------------------------------------------------------------------------------
Martin "MaD" Douda
WEB: http://martin.douda.net/ PHONE:+420603752779 ICQ# 86467013
EMAIL: <martin@douda.net>, <mad@gate.mobil.cz> (160 characters only)
PGP:ID=0x6FE43023 Fingerprint:E495 11DA EF6E 0DD6 965A 54F3 888E CC9E 6FE4 3023
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/