Date: Mon, 19 Mar 2007 23:45:25 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: Buffer Overflow warning with -fstack-protector and bigpatch 18.104.22.168 (des3-cbc-sha1) On Mon, Mar 19, 2007 at 08:36:33PM +0100, Till Maas wrote: > #5 0x08055c15 in krb5_decrypt_compare () at KRB5_fmt.c:167 Line 167 is the last line of the function, so we don't know what line actually triggers the check. Without reviewing that code in full context (I don't care about it enough to do that), I've only noticed that the strncmp() is wrong - it should be skipped when there are fewer than strlen(KRBTGT) characters left from &plain[i] till the end of plain. But that might not be _the_ problem. Till, Erik - care to try fixing that function to make it work with -fstack-protector? > Btw. why are the patches distributed apart from john? You've identified one of the reasons - the quality is often inadequate. Other reasons include dependencies on external libraries (in this case it's libdes or OpenSSL) and licensing issues. -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ