possible bug in chgpasswd.c/smbdes.c
Syzop
syz at dds.nl
Thu Jul 19 16:28:54 GMT 2001
Does indeed look wrong if you ask me :P
Trace...
smbd/chgpasswd.c
SamOEMhash((uchar *) lmdata, (uchar *) smbpw->smb_passwd, 516);
libsmb/smbdes.c:361:
void SamOEMhash( unsigned char *data, unsigned char *key, int val)
{
unsigned char s_box[256];
-- snip, --
for( ind = 0; ind < val; ind++)
{
-- snip --
s_box[index_i] = s_box[index_j];
Syzop.
Simo Sorce wrote:
> Seem that check_oem_password function in smbd/chgpasswd.c calls SamOEMhash function in libsmb/smbdes.c with a val of 516 an this may be a bug in either check_oem_password or SamOEMhash.
> The last for cicle in SamOEMhash increments ind and index_i from 0 to 516, but
> s_box[] indexed by index_i is only 256 chars long.
> So I think index_i goes out of buffer boundaries at half the for cicle, and
> we also modify that region.
> This function seem to be called only when syncing unix passwords when changing password.
> can anyone confirm it?
> or have I missed something?
>
> --
> Simo Sorce idra at samba.org
> -------------------------------
> Samba Team http://www.samba.org
More information about the samba-technical
mailing list