Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Apr 2013 11:36:49 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Yet more crashes

On 04/28/13 at 08:31pm, Lukas Odzioba wrote:
> 2013/4/28 Alexander Cherepanov <cherepan@...me.ru>:
> > Most crashes posted earlier are fixed now (cool!) so I made my "fuzzer" a
> > bit more aggressive and found some more crashes. Posting new and remaining
> > old problems combined.
>
> Alexander provided an example where count=-1 and that causes john to crash.
> I tried to put negative values in other fields - it caused an assert
> and stops the program, or john was doing something - I am not sure
> about effect of that - both cases not sounds good.
> I guess none of fields can contain a negative values, but I need help
> about other limits set on them (equal 0, min,max values).
>
> algorithm - do we use it at all?

No.

> datalen - minimum bound?

Should not matter.

> data - every character should be in atoi16[]
> spec - this needs to be validated with hash_algorithm
> usage - {0,255,254} - magic numbers
> hash_algorithm - this needs to be validated with spec
> cipher_algorithm - {CIPHER_CAST5, CIPHER_BLOWFISH, CIPHER_AES128,
> CIPHER_AES192, CIPHER_AES256}
> ivlen - minimum bound

Yes, all these checks are required.

> iv - every character should be in atoi16[]
> count - min,max bounds
> salt - every character should be in atoi16[]

These are required.

--
Dhiru

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ