Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 6 Jul 2016 17:27:33 +0200
From: magnum <>
Subject: rules.c bug/feature


While playing with some old contest rules I found a bug in John that's 
not Jumbo-specific: Apparently it lacks some checks so a 'ddd' rule will 
blow the destination buffer even at moderate input lengths (eg. 50).

The implications are a smashed rules_data.classes array which may 
eventually lead to a segfault but I think it may also just "seem to 
work" although subsequent rules will actually execute incorrectly.

I think the best fix is to quietly truncate the copy so ddd (and even 
dddd and so on) will work fine with short enough words? Here is a fix 
that seem to work but not much tested and I really did not count the 
fence posts very carefully:

diff --git a/src/rules.c b/src/rules.c
index d20d1d5..0bb525b 100644
--- a/src/rules.c
+++ b/src/rules.c
@@ -441,7 +441,9 @@ char *rules_apply(char *word, char *rule, int split, 
char *last)

                 case 'd':
-                       memcpy(in + length, in, length);
+                       if (rules_max_length - length > 0)
+                               strnzcpy(in + length, in,
+                                        rules_max_length - length);
                         in[length <<= 1] = 0;

I'll wait with fixing Jumbo until you comment.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.