Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 29 Dec 2012 22:39:20 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: New self-test for maximum length (was: Formats dmg,
 encfs and strip crash on longer passwords)

On Sat, Dec 29, 2012 at 10:23 PM, magnum <john.magnum@...hmail.com> wrote:
> I just threw this in with devastating results:
>
> commit f49d2c56531de71da2a03c0e28c8bc939cce376b
> Author: magnum <john.magnum@...hmail.com>
> Date:   Sat Dec 29 17:25:46 2012 +0100
>
>     formats.c: Add a self-test that puts maximum length candidates in all
>     buffer positions and then read them back to verify. This finds incorrect
>     claims of PLAINTEXT_SIZE as well as most kinds of key buffer over-runs.
>     It found 15 problematic formats right away.
>
> I have no idea why I did not get the idea long ago. Unlike the "valid() killer" test that is only active with -DDEBUG, this one doesn't seem prone to segfault so it's always active. This is the current results on my 64-bit machine:
> 15 out of 198 tests have FAILED

Surprisingly most of my formats passed. I got scared when I did a "git
pull" and saw the commit message.

> All these are probably real bugs. As you can see, some formats do not get any error within the new test but later - this indicates worse problems than just fence post errors.
>
> I will start looking into raw-md4 and sapB (because they might be my fault). Any other volunteers please post here before starting to debug a format, so we avoid double work.

I am picking IKE, RAdmin and TrueCrypt.

-- 
Cheers,
Dhiru

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ