Date: Thu, 08 Jun 2017 06:20:58 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 132302] [patch] smbutil(1): contrib/smbfs subr.c: saved passwords >18 char fail Message-ID: <bug-132302-8-fFYGpKjAeL@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-132302-8@https.bugs.freebsd.org/bugzilla/> References: <bug-132302-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D132302 --- Comment #5 from Matthias Apitz <guru@unixarea.de> --- (In reply to Josh Paetzel from comment #3) I was thinking last night about the proposed patch and wanted to modify it,= but now it's committed already before I could put hands on the keyboard; the problem (bug) was that the value in 'pos' for the XOR operation: ch ^=3D pos; at some point exceeds, when the to be crypted password is long enough, exce= eds one byte, and so does the result in 'ch'; later the value from 'ch' is form= ated to a hex string with sprintf(dst, "%02x", ch); dst +=3D 2; which gives in 'dst' four new bytes, like 0136, but the pointer 'dst' is on= ly moved two byte further; this damages the resulting string in 'dst' for the crypted pw and later decrypt goes wrong; Said this, the test for 'pos' not exceeding one byte must be=20 if (pos >=3D 256)=20 pos -=3D256;' because a pw of 57 bytes lenth will hit the point where 'pos' is exactly 256 (0x100); 57++ bytes is a very unlikely password, but as it s stored into a file and = not typed in from time to time it's not impossible thinking in such a beast; sorry to come late with this comment; --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-132302-8-fFYGpKjAeL>