[Dovecot] Patch: fix $-terminated MCF
p/t_strdup_until wasn't returning a terminated string: Index: src/lib/strfuncs.c =================================================================== RCS file: /home/cvs/dovecot/src/lib/strfuncs.c,v retrieving revision 1.41 diff -u -p -r1.41 strfuncs.c --- src/lib/strfuncs.c 18 Jul 2004 01:44:59 -0000 1.41 +++ src/lib/strfuncs.c 31 Jul 2004 08:43:35 -0000 @@ -154,6 +154,7 @@ char *p_strdup_until(pool_t pool, const mem = p_malloc(pool, size + 1); memcpy(mem, start, size); + mem[size] = '\0'; return mem; } Noticed while testing $-terminated modular crypt strings, because I didn't (and still don't) understand the reason for line 65 of password-scheme.c; ... /* stop at next '$' */ p = strchr(p+3, '$'); if (p != NULL) *password = t_strdup_until(*password, p); ... and I have ln -s 'J' /etc/malloc.conf on freebsd 5-current, so malloc'd memory isn't zeroed, causing a segfault. Is there some system that appends dollar signs to MCF formats? The commit message for r1.3 of password-scheme.c doesn't explain. Joshua. -- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109
On Sat, 2004-07-31 at 19:01 +1000, Joshua Goodall wrote:
p/t_strdup_until wasn't returning a terminated string:
mem = p_malloc(pool, size + 1); memcpy(mem, start, size);
- mem[size] = '\0'; return mem;
It does, because p_malloc() always allocates zero-filled memory area. Or doesn't it in some conditions?
Noticed while testing $-terminated modular crypt strings, because I didn't (and still don't) understand the reason for line 65 of password-scheme.c; ... /* stop at next '$' */ p = strchr(p+3, '$'); if (p != NULL) *password = t_strdup_until(*password, p); ... and I have ln -s 'J' /etc/malloc.conf on freebsd 5-current, so malloc'd memory isn't zeroed, causing a segfault.
Shouldn't segfault there.. t_strdup_until() anyway doesn't ever even reach to \0 character. Or where exactly does it crash?
Is there some system that appends dollar signs to MCF formats? The commit message for r1.3 of password-scheme.c doesn't explain.
Well .. I don't have any MD5 passwords now so I'm not exatly sure if it's doing right. The code looks like it's expecting a string "$1$salt $password$" and it returns "$1$salt$password". password_generate_md5_crypt() seems to be able to deal with it.
Linux's crypt(3) man page says glibc adds the $ in the end.
On Sat, Jul 31, 2004 at 12:32:03PM +0300, Timo Sirainen wrote:
Shouldn't segfault there.. t_strdup_until() anyway doesn't ever even reach to \0 character. Or where exactly does it crash?
I reversed the patch and it didn't crash again. Possibly PEBCAK. Maybe I didn't remake everything before linking (I've been working on blowfish hashes).
Linux's crypt(3) man page says glibc adds the $ in the end.
I think that's just a doco bug; it isn't in the glibc code that I just looked at. It can't hurt, though.
Joshua.
-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109
participants (2)
-
Joshua Goodall
-
Timo Sirainen