Date: Tue, 8 Nov 2011 16:02:34 -0600 From: "jfoug" <jfoug@....net> To: <john-dev@...ts.openwall.com> Subject: RE: LM & NT prepare() segfaults This was called on pot loading, in an attempt to match/deal with 'valid' lines, in any valid format. So, $dynamic_0$01234567890123456789000:some_pass 01234567890123456789000:some_pass md5_gen(0)01234567890123456789000:some_pass would all be seen as valid lines, that would scrub a hash at startup. The pot will ONLY have this format: $dynamic_0$01234567890123456789000:some_pass written into it, but the prepare was added to try to 'unify' validity checking of the pot file. Also, if a user started with raw-md5, and later used dynamic_0, then things would 'work' properly. I will need to put a little time in to answer your question, but I believe the only 2 fields 'required' would be the first 2. Yes, we certainly would need to add proper logic into lm/nt (or ANY prepare), to check if element 2 was null or not, prior to using it. NOTE, in loader, all nulls get set to "", so it is likely that is the proper thing to add to the pot loading. Simply make sure that all array elements past the first 2, are set to "". There is NO information in the pot file that can help the prepare function, beyond the first 2 elements anyway (both of them being the hash. Jim. >From: Solar Designer [mailto:solar@...nwall.com] > >Jim - > >With 0037-dynamic-split-addition-1.diff prepare() is now called not only >for password files to crack, but also for pot entries. (I don't know >what you're doing this for, but that's another matter.) This exposed >the fact that implementations of prepare() just assume that their >expected number of fields is available. Specifically, LM's and NT's >prepare() look for fields beyond the 2nd. I've just introduced the >obvious non-NULL checks into these two. > >What about the first two fields, though - should prepare() assume that >these are always present? Should loader.c be careful to only call >prepare() when at least two fields are present? Does it ensure that >currently (I haven't checked)? > >Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.