Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 23 Apr 2013 18:14:49 +0400
From: Alexander Cherepanov <>
Subject: atoi -- undefined behavior


 From the C99 standard: "The functions atof, atoi, atol, and atoll need 
not affect the value of the integer expression errno on an error. If the 
value of the result cannot be represented, the behavior is undefined."

This means that if atoi meets a number which overflows int the behavior 
of all the program is undefined which is not good. Dealing with this in 
jumbo is for another time but there is one atoi in core john -- in BF_fmt.c:

118-	if (ciphertext[4] < '0' || ciphertext[4] > '9') return 0;
119-	if (ciphertext[5] < '0' || ciphertext[5] > '9') return 0;
120:	rounds = atoi(ciphertext + 4);
121-	if (rounds < 4 || rounds > 31) return 0;
123-	if (ciphertext[6] != '$') return 0;

Possible solutions -- move check for '$' before atoi, convert by hand 
istead of atoi, use strtol.

Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.