Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61052 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35332 invoked from network); 30 Jun 2012 07:38:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jun 2012 07:38:36 -0000 Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.170 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 209.85.212.170 mail-wi0-f170.google.com Received: from [209.85.212.170] ([209.85.212.170:37375] helo=mail-wi0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C0/0B-62543-AFCAEEF4 for ; Sat, 30 Jun 2012 03:38:34 -0400 Received: by wibhq12 with SMTP id hq12so1431398wib.5 for ; Sat, 30 Jun 2012 00:38:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=4HA+q4Vum8T7JWp99HtUuc+wGFRPc/PnkTIEmZzywzE=; b=B3tkrNpyeUati5a6w8ZM8jwrVPNeMCNyeQqV5u5Mo4jZbvtOP3dGw0ANMzzC0ai9F+ Hk+lNm+15iGcjWgh/hWN6jECOSktgmhoNwVyy7Skfi4tWg+K1hNRrGbTwZMDAE1es7V8 U0kgJ9TgwOJTaDWs+EOtmqNx4X/TaCkn7QsTHIPIkCjVoYyg8e7xd2eAa86UjlLwFE9c 9x8qz7Mao6XLgmfzxTYcSY+edL1PU4pEHclvpPTKBVl+E833j9whAW86LnIXwbbiwYfZ 1yqjEIA0pOzUNIl+WXpSqWm646FMrSiZwz5YsMkPcgKt9Ur/Xdp+BUz7D5YgnjDc67B5 4fng== Received: by 10.216.137.136 with SMTP id y8mr2295031wei.156.1341041910885; Sat, 30 Jun 2012 00:38:30 -0700 (PDT) Received: from [192.168.1.26] (228.Red-88-13-201.dynamicIP.rima-tde.net. [88.13.201.228]) by mx.google.com with ESMTPS id fo7sm10380811wib.9.2012.06.30.00.38.29 (version=SSLv3 cipher=OTHER); Sat, 30 Jun 2012 00:38:30 -0700 (PDT) Message-ID: <4FEEACDE.5020008@gmail.com> Date: Sat, 30 Jun 2012 09:38:06 +0200 User-Agent: Thunderbird MIME-Version: 1.0 To: Nikita Popov CC: PHP internals References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------070200090704020605050100" Subject: Re: [PHP-DEV] Asking for a review of crypt() allocation changes From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) --------------070200090704020605050100 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 29/06/12 14:43, Nikita Popov wrote: > Hi internals! > > Anthony and me have been looking a lot at the crypt() code recently > and noticed that there are some strange things going on in the buffer > allocations for the sha algorithms. > > We did two commits to fix them up a bit: > > http://git.php.net/?p=php-src.git;a=commitdiff;h=7e8276ca68fc622124d51d18e4f7b5cde3536de4 It took me a while to realise the problem being fixed. The bug is not the memset (as reported in bug 62443), which is using needed (got fixed in e6cf7d), or php_sha{256,512}_crypt_r (uses a null-terminated string), but the salt[salt_in_len] = '\0'; after allocating only strlen(salt). So that you would be accessing the position PHP_MAX_SALT_LEN of the array but have reserved only a few bytes. Just*sizeof*(sha512_rounds_prefix ) + 9 + 1 seem enough for not making bug62443.phpt segfault. I have been able to crash it with var_dump( crypt("foo", '$6$'.chr(0). str_pad('', 500, '*') . '$abc') ); but only if it's the first call. --------------070200090704020605050100--