Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 May 2011 13:53:57 -0500
From: "jfoug" <jfoug@....net>
To: <john-dev@...ts.openwall.com>
Subject: RE: SSE bug still there in Jumbo-5-RC6++

>-----Original Message-----
>From: magnum [mailto:rawsmooth@...dband.net]
>
>The mssql problem is fixed, patch uploaded to wiki.
>
>Actually I never found the exact cause. 

 static void mssql_init(struct fmt_main *pFmt)
 {
 #ifdef MMX_COEF
 	memset(saved_key, 0, sizeof(saved_key));
 #else
-	saved_key = mem_alloc_tiny(PLAINTEXT_LENGTH*2 + 1, MEM_ALIGN_WORD);
+	saved_key = mem_alloc_tiny(PLAINTEXT_LENGTH*2 + 1 + SALT_SIZE,
MEM_ALIGN_WORD);
 #endif


This was fixed, without the OMP removal.  Same bug in the non MMX builds of
mssql05.  Memory overwrite if the password went over 23 bytes long.  In the
older code, 51 bytes were set aside. Then 23*2+4 == 50. However, plaintext
len was 25, so 24 and 25 char passes blew the buffer.  Prior to your change,
saved_key was a static buffer, and not alloc, but same type bug.  Down in
cryptall, we do a memcpy of the cursalt to past where the Unicode password
lives.  

Jim.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ