Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 16 Jul 2012 11:07:50 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: My audit of cracker, format, loader.c

Jim -

Thank you for your code reviews!

On Sun, Jul 15, 2012 at 04:49:49PM -0400, jfoug@....net wrote:
> I know it is 100% core.  My point is the core code loses the validity checking that was in bleeding, which helped keep spurious fields[2] from being loaded.  The 2 calls to valid were put into prepare on purpose.  They are not in core, but should be.

I dropped those two calls to valid() from LM's prepare() on purpose,
because they looked redundant to me (and in more obscure cases where
they are not strictly redundant, they appeared to be undesired).  They
still do.  loader.c calls valid() on whatever prepare() returns anyway.

Can you explain how spurious fields were being loaded without those
valid() calls, preferably by providing a very specific example (input
file line that gets processed incorrectly without those checks, the
corresponding "john" command-line, and desired vs. actual behavior)?

Thanks again,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ