possible bug in chgpasswd.c/smbdes.c

Syzop syz at dds.nl
Thu Jul 19 16:28:54 GMT 2001

Does indeed look wrong if you ask me :P

        SamOEMhash((uchar *) lmdata, (uchar *) smbpw->smb_passwd, 516);

void SamOEMhash( unsigned char *data, unsigned char *key, int val)
  unsigned char s_box[256];
-- snip,  --
  for( ind = 0; ind < val; ind++)
-- snip --
    s_box[index_i] = s_box[index_j];


Simo Sorce wrote:

> Seem that check_oem_password function in smbd/chgpasswd.c calls SamOEMhash function in libsmb/smbdes.c with a val of 516 an this may be a bug in either check_oem_password or SamOEMhash.
> The last for cicle in SamOEMhash increments ind and index_i from 0 to 516, but
> s_box[] indexed by index_i is only 256 chars long.
> So I think index_i goes out of buffer boundaries at half the for cicle, and
> we also modify that region.
> This function seem to be called only when syncing unix passwords when changing password.
> can anyone confirm it?
> or have I missed something?
> --
> Simo Sorce       idra at samba.org
> -------------------------------
> Samba Team http://www.samba.org

More information about the samba-technical mailing list