Hi YAEGASHI,
On Fri, Jun 24, 2005 at 09:49:59PM +0900, YAEGASHI Takeshi wrote:
> --- util-linux-2.12p.orig/mount/lomount.c 2005-06-24 20:39:36.073263112
> +0900
> +++ util-linux-2.12p/mount/lomount.c 2005-06-24 21:12:33.783174438 +0900
(...)
> + strcpy(passwdbuff+1,pass);
> passwdbuff[0] = 'A';
> - rmd160_hash_buffer(keybits,pass,strlen(pass));
> -
> rmd160_hash_buffer(keybits+HASHLENGTH,passwdbuff,strlen(pass)+1);
> + rmd160_hash_buffer(keybits,pass,passwdlen);
> + rmd160_hash_buffer(keybits+HASHLENGTH,passwdbuff,passwdlen+1);
> + memset(pass, 0, passwdlen);
> + free(passwdbuff);
This looks like it leaves the passphrase as free'd memory on the heap.
Maybe add a memset before freeing the buffer?
> memcpy((char*)loopinfo64.lo_encrypt_key,keybits,2*HASHLENGTH);
> keylength=0;
> for(i=0; crypt_type_tbl[i].id != -1; i++){
> @@ -423,15 +426,18 @@
> default:
> if (hash_password) {
(...)
> + strcpy(passwdbuff+1,pass);
> passwdbuff[0] = 'A';
> - rmd160_hash_buffer(keybits,pass,strlen(pass));
> -
> rmd160_hash_buffer(keybits+HASHLENGTH,passwdbuff,strlen(pass)+1);
> - memset(pass, 0, strlen(pass));
> + rmd160_hash_buffer(keybits,pass,passwdlen);
> +
> rmd160_hash_buffer(keybits+HASHLENGTH,passwdbuff,passwdlen+1);
> + memset(pass, 0, passwdlen);
> + free(passwdbuff);
Similar thing here.
cheers,
Max
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
