Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Apr 2013 12:00:29 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Yet more crashes

On 04/30/13 at 08:20am, Lukas Odzioba wrote:
> 2013/4/30 Dhiru Kholia <dhiru.kholia@...il.com>:
> > On 04/28/13 at 08:31pm, Lukas Odzioba wrote:
> >> algorithm - do we use it at all?
> >
> > No.
> So why it is there? Can we just drop this field, or it might me used
> in the future?
>
> >> datalen - minimum bound?
> > Should not matter.
> So -1000 is proper value, or rather 0 is the smallest valid one?
> Same situation with count, I would like to hear from you what are the
> bounds on this field.

Negative values for datalen will get rejected with existing checks.

if (strlen(p) != res * 2)
    goto err;

You can't really have "negative length strings" ;)

For count, checking for a positive value greater than 0 should be OK.

> Can you be more specific about minimum ivlen?

The possible values of ivlen are 8 and 16, IIRC.

--
Dhiru

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ