possible bug in chgpasswd.c/smbdes.c

Simo Sorce idra at samba.org
Thu Jul 19 15:42:50 GMT 2001

I've seen that while searching for a possible bug a user reported in unix password sync.
What does not convince me is that we increment index_i up to 516
and then read and store values in s_box[index_i] but
s_nox is declared as follow:
  unsigned char s_box[256];

here my concern,

On Thu, Jul 19, 2001 at 09:35:47AM -0500, Gerald Carter wrote:
> On Thu, 19 Jul 2001, Simo Sorce wrote:
> > Seem that check_oem_password function in smbd/chgpasswd.c calls
> > SamOEMhash function in libsmb/smbdes.c with a val of 516 an this may
> > be a bug in either check_oem_password or SamOEMhash. The last for
> > cicle in SamOEMhash increments ind and index_i from 0 to 516, but
> > s_box[] indexed by index_i is only 256 chars long. So I think index_i
> > goes out of buffer boundaries at half the for cicle, and we also
> > modify that region. This function seem to be called only when syncing
> > unix passwords when changing password. can anyone confirm it? or have
> > I missed something?
> Is something not working?  I mean are you tracking down a bug or just
> curious?
> Cheers, jerry
>  ---------------------------------------------------------------------
>  http://www.valinux.com/     VA Linux Systems      gcarter at valinux.com
>  http://www.samba.org/          SAMBA Team             jerry at samba.org
>  http://www.plainjoe.org/                           jerry at plainjoe.org
>  --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

Simo Sorce       idra at samba.org
Samba Team http://www.samba.org

More information about the samba-technical mailing list