From b3dfd7057e6c5fe10c7385c662131e9a85dd7a48 Mon Sep 17 00:00:00 2001 From: philsmd Date: Sat, 2 Apr 2016 18:05:08 +0200 Subject: [PATCH] fixed -m 10200 = Cram MD5 parser: check for NULL pointers ASAP, check base64 input length --- docs/changes.txt | 4 ++++ src/shared.c | 12 +++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 341c070bc..e1cd33813 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -184,6 +184,10 @@ Type.: Bug File.: Host Desc.: Fixed some checks in the parser of -m 8900 = scrypt +Type.: Bug +File.: Host +Desc.: Fixed some checks in the parser of -m 10200 = Cram MD5 + * changes v2.00 -> v2.01: Type.: Bug diff --git a/src/shared.c b/src/shared.c index 5543a10ff..7ee5520c0 100644 --- a/src/shared.c +++ b/src/shared.c @@ -16182,16 +16182,18 @@ int crammd5_parse_hash (char *input_buf, uint input_len, hash_t *hash_buf) char *hash_pos = strchr (salt_pos, '$'); - uint salt_len = hash_pos - salt_pos; - if (hash_pos == NULL) return (PARSER_SEPARATOR_UNMATCHED); + uint salt_len = hash_pos - salt_pos; + hash_pos++; uint hash_len = input_len - 10 - salt_len - 1; // base64 decode salt + if (salt_len > 133) return (PARSER_SALT_LENGTH); + u8 tmp_buf[100] = { 0 }; salt_len = base64_decode (base64_to_int, (const u8 *) salt_pos, salt_len, tmp_buf); @@ -16204,12 +16206,16 @@ int crammd5_parse_hash (char *input_buf, uint input_len, hash_t *hash_buf) salt->salt_len = salt_len; - // base64 decode salt + // base64 decode hash + + if (hash_len > 133) return (PARSER_HASH_LENGTH); memset (tmp_buf, 0, sizeof (tmp_buf)); hash_len = base64_decode (base64_to_int, (const u8 *) hash_pos, hash_len, tmp_buf); + if (hash_len < 32 + 1) return (PARSER_SALT_LENGTH); + uint user_len = hash_len - 32; const u8 *tmp_hash = tmp_buf + user_len;