[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Aug 2015 10:55:06 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: auditing our use of FMT_* flags
On Fri, Aug 14, 2015 at 10:49 AM, Kai Zhao <loverszhao@...il.com> wrote:
> Hi Alexander,
>
> On Fri, Aug 14, 2015 at 3:18 AM, Solar Designer <solar@...nwall.com> wrote:
>> Kai,
>>
>> When you say that "truncation was already supported", do you mean the
>> use of strncmp() instead of strcmp()?
>
> Yes.
>
>> A more reliable test would be to
>> also check that the length of the string returned by get_key() is not
>> greater than plaintext_length. strncmp() treats the two strings
>> equally, but for our purposes we allow for truncation of only one of
>> them and not the other. In other words, if get_key() returns a string
>> that is not properly NUL-terminated at plaintext_length (and presumably
>> has garbage in further characters) when the plaintext was of this
>> maximum length or more, we want this detected as an error.
>
> Get it. I think what I need is to add the check that the length of the string
> returned by get_key() is not greater than plaintext_length before strncmp().
>
Before strncmp(), we also should check the length of string returned
by get_key() should not smaller than plaintext_min_length.
So the length should between plaintext_min_length and plaintext_length,
including.
Thanks,
Kai
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
