[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Possible off by one error at crypt/md5-crypt.c:182
From: |
Ryan Mack |
Subject: |
Possible off by one error at crypt/md5-crypt.c:182 |
Date: |
Thu, 30 Aug 2001 18:19:12 -0700 (PDT) |
197 /* Now we can construct the result string. It consists of three
180 parts. */
181 cp = __stpncpy (buffer, md5_salt_prefix, MAX (0, buflen));
182 buflen -= sizeof (md5_salt_prefix);
Line 181 copies md5_salt_prefix into the output buffer which is a total of
four bytes ({'$', '1', '$', '\0'}), however cp now points to the position
of '\0'. Thus you have effectively only used three bytes of the buffer.
Like 182 incorrectly subtracts *four* bytes (sizeof (md5_salt_prefix) = 4)
from the remaining length of the buffer. *Untested* patch attached
(sorry, I don't have a system I can test on).
I'd like to warn again that I have *not* tested this change. It was just
something I noticed while perusing the source.
md5-crypt.patch
Description: Text document
- Possible off by one error at crypt/md5-crypt.c:182,
Ryan Mack <=