possible bug in chgpasswd.c/smbdes.c
Simo Sorce
idra at samba.org
Thu Jul 19 15:42:50 GMT 2001
I've seen that while searching for a possible bug a user reported in unix password sync.
What does not convince me is that we increment index_i up to 516
and then read and store values in s_box[index_i] but
s_nox is declared as follow:
unsigned char s_box[256];
here my concern,
bye,
Simo.
On Thu, Jul 19, 2001 at 09:35:47AM -0500, Gerald Carter wrote:
> On Thu, 19 Jul 2001, Simo Sorce wrote:
>
> > Seem that check_oem_password function in smbd/chgpasswd.c calls
> > SamOEMhash function in libsmb/smbdes.c with a val of 516 an this may
> > be a bug in either check_oem_password or SamOEMhash. The last for
> > cicle in SamOEMhash increments ind and index_i from 0 to 516, but
> > s_box[] indexed by index_i is only 256 chars long. So I think index_i
> > goes out of buffer boundaries at half the for cicle, and we also
> > modify that region. This function seem to be called only when syncing
> > unix passwords when changing password. can anyone confirm it? or have
> > I missed something?
>
> Is something not working? I mean are you tracking down a bug or just
> curious?
>
>
>
> Cheers, jerry
> ---------------------------------------------------------------------
> http://www.valinux.com/ VA Linux Systems gcarter at valinux.com
> http://www.samba.org/ SAMBA Team jerry at samba.org
> http://www.plainjoe.org/ jerry at plainjoe.org
> --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
>
>
--
Simo Sorce idra at samba.org
-------------------------------
Samba Team http://www.samba.org
More information about the samba-technical
mailing list