Date: Wed, 6 Jul 2016 17:27:33 +0200 From: magnum <john.magnum@...hmail.com> To: john-dev@...ts.openwall.com Subject: rules.c bug/feature Solar, While playing with some old contest rules I found a bug in John that's not Jumbo-specific: Apparently it lacks some checks so a 'ddd' rule will blow the destination buffer even at moderate input lengths (eg. 50). The implications are a smashed rules_data.classes array which may eventually lead to a segfault but I think it may also just "seem to work" although subsequent rules will actually execute incorrectly. I think the best fix is to quietly truncate the copy so ddd (and even dddd and so on) will work fine with short enough words? Here is a fix that seem to work but not much tested and I really did not count the fence posts very carefully: diff --git a/src/rules.c b/src/rules.c index d20d1d5..0bb525b 100644 --- a/src/rules.c +++ b/src/rules.c @@ -441,7 +441,9 @@ char *rules_apply(char *word, char *rule, int split, char *last) break; case 'd': - memcpy(in + length, in, length); + if (rules_max_length - length > 0) + strnzcpy(in + length, in, + rules_max_length - length); in[length <<= 1] = 0; break; I'll wait with fixing Jumbo until you comment. magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.