Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jun 2012 22:29:52 +0200
From: magnum <>
Subject: Re: incomplete valid() tests for many jumbo formats

On 2012-06-27 22:09, Frank Dittrich wrote:
> Several formats use very limited tests in valid().
> Best case scenario is that the format tries to crack hashes which are
> invalid, worst case scenario is that various errors can occur if someone
> passes data which will overflow buffers.
> The sooner we fix this, the sooner other contributors creating patches
> for new formats or for GPU implementations of existing formats will find
> better examples of how to implement valid().
> Examples:
> cuda_pwsafe_fmt.c:53:static int valid(char *ciphertext, struct fmt_main
> *pFmt)
> cuda_pwsafe_fmt.c-54-{
> cuda_pwsafe_fmt.c-55-        return !strncmp(ciphertext, "$pwsafe$", 8);
> cuda_pwsafe_fmt.c-56-}

Yes, this is a problem, and sometimes it's worse than the above (where
input files would be generated by pwsafe2john so are not very likely to
be malformed). If you feel like writing patches, just check out bleeding
and hit it! That won't disturb Jumbo-6. I committed the
-Wdeclaration-after-statement there.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.