Fixed out-of-boundary write in slow candidates mode in combinator attack

2024-11-05 23:10:00 +00:00 · 2021-06-24 12:15:41 +02:00 · 2021-06-24 12:15:41 +02:00 · 1a4758da83
commit 1a4758da83
parent 28c08de9ef
2 changed files with 8 additions and 2 deletions
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -17,6 +17,7 @@
 - Fixed false negative in hash-mode 15900 (DPAPI masterkey file v2) if password was longer than 64 characters
 - Fixed hashcat_ctx leak and refactor module and kernel existence checks
 - Fixed integer overflow in Recovered/Time status view column caused by division > 0 but < 1
+- Fixed out-of-boundary write in slow candidates mode in combinator attack

 ##
 ## Features
--- a/src/slow_candidates.c
+++ b/src/slow_candidates.c
@ -313,11 +313,16 @@ void slow_candidates_next (hashcat_ctx_t *hashcat_ctx, void *extra_info)
      break;
    }

-    memcpy (extra_info_combi->out_buf + extra_info_combi->out_len, line_buf, line_len);
+    // this can overflow so we move it up

    extra_info_combi->out_len += line_len;

-    memset (extra_info_combi->out_buf + extra_info_combi->out_len, 0, sizeof (extra_info_combi->out_buf) - extra_info_combi->out_len);
+    if (extra_info_combi->out_len <= sizeof (extra_info_combi->out_buf))
+    {
+      memcpy (extra_info_combi->out_buf + extra_info_combi->out_len, line_buf, line_len);
+
+      memset (extra_info_combi->out_buf + extra_info_combi->out_len, 0, sizeof (extra_info_combi->out_buf) - extra_info_combi->out_len);
+    }

    extra_info_combi->comb_pos_prev = extra_info_combi->comb_pos;