Date: Fri, 14 Aug 2015 10:55:06 +0800 From: Kai Zhao <loverszhao@...il.com> To: john-dev@...ts.openwall.com Subject: Re: auditing our use of FMT_* flags On Fri, Aug 14, 2015 at 10:49 AM, Kai Zhao <loverszhao@...il.com> wrote: > Hi Alexander, > > On Fri, Aug 14, 2015 at 3:18 AM, Solar Designer <solar@...nwall.com> wrote: >> Kai, >> >> When you say that "truncation was already supported", do you mean the >> use of strncmp() instead of strcmp()? > > Yes. > >> A more reliable test would be to >> also check that the length of the string returned by get_key() is not >> greater than plaintext_length. strncmp() treats the two strings >> equally, but for our purposes we allow for truncation of only one of >> them and not the other. In other words, if get_key() returns a string >> that is not properly NUL-terminated at plaintext_length (and presumably >> has garbage in further characters) when the plaintext was of this >> maximum length or more, we want this detected as an error. > > Get it. I think what I need is to add the check that the length of the string > returned by get_key() is not greater than plaintext_length before strncmp(). > Before strncmp(), we also should check the length of string returned by get_key() should not smaller than plaintext_min_length. So the length should between plaintext_min_length and plaintext_length, including. Thanks, Kai
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.