Possible off by one error at crypt/md5-crypt.c:182

bug-glibc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible off by one error at crypt/md5-crypt.c:182

From:	Ryan Mack
Subject:	Possible off by one error at crypt/md5-crypt.c:182
Date:	Thu, 30 Aug 2001 18:19:12 -0700 (PDT)

197  /* Now we can construct the result string.  It consists of three
180   parts.  */
181  cp = __stpncpy (buffer, md5_salt_prefix, MAX (0, buflen));
182  buflen -= sizeof (md5_salt_prefix);

Line 181 copies md5_salt_prefix into the output buffer which is a total of
four bytes ({'$', '1', '$', '\0'}), however cp now points to the position
of '\0'.  Thus you have effectively only used three bytes of the buffer.

Like 182 incorrectly subtracts *four* bytes (sizeof (md5_salt_prefix) = 4)
from the remaining length of the buffer.  *Untested* patch attached
(sorry, I don't have a system I can test on).

I'd like to warn again that I have *not* tested this change.  It was just
something I noticed while perusing the source.

md5-crypt.patch
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

Possible off by one error at crypt/md5-crypt.c:182, Ryan Mack <=
- Re: Possible off by one error at crypt/md5-crypt.c:182, Ulrich Drepper, 2001/08/30
- Java and the LGPL, Ryan Mack, 2001/08/30
  - Re: Java and the LGPL, Roland McGrath, 2001/08/30

Prev by Date: 부자아빠가 되는 법을 알려 드립니다.
Next by Date: Re: Possible off by one error at crypt/md5-crypt.c:182
Previous by thread: 부자아빠가 되는 법을 알려 드립니다.
Next by thread: Re: Possible off by one error at crypt/md5-crypt.c:182
Index(es):
- Date
- Thread