* libmisc/salt.c: Make sure the salt string is terminated at the

right place (either 8th, or 11th position). * NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does not need 15 chars. No need for a temporary buffer. This change the fix committed on 2007-11-10. The salt provided to pw_encrypt could have been too long.
2007-11-16 19:02:00 +00:00 · 2007-11-16 19:02:00 +00:00 · 449f17385a
commit 449f17385a
parent e163c5fe9c
5 changed files with 30 additions and 16 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2007-11-10  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* libmisc/salt.c: Make sure the salt string is terminated at the
+	right place (either 8th, or 11th position).
+	* NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
+	not need 15 chars. No need for a temporary buffer.
+	This change the fix committed on 2007-11-10. The salt provided to
+	pw_encrypt could have been too long.
+
 2007-11-16  Nicolas François  <nicolas.francois@centraliens.net>

 	* man/fr/fr.po: Fix typo: missing / in <placeholder-1/>. This
--- a/3
+++ b/3
@ -7,7 +7,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2					UNRELEASED
  useradd's -g option. Applied Debian patch 397_non_numerical_identifier.
  Thanks also to Greg Schafer <gschafer@zip.com.au>.
 - chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow. Based on
-  Fedora's shadow-4.0.18.1-overflow.patch.
+  the Fedora's shadow-4.0.18.1-overflow.patch and Debian's
+  495_salt_stack_smash patches.
 - newgrp: Don't ask for a password if there are no group passwords. Just
  directly give up.
 - The permissions of the suid binaries is now configurable in
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@ -62,11 +62,13 @@ char *crypt_make_salt (void)
 {
 	struct timeval tv;
 	static char result[40];
+	int max_salt_len = 8;

 	result[0] = '\0';
 #ifndef USE_PAM
 	if (getdef_bool ("MD5_CRYPT_ENAB")) {
 		strcpy (result, "$1$");	/* magic for the new MD5 crypt() */
+		max_salt_len += 3;
 	}
 #endif

@ -77,8 +79,8 @@ char *crypt_make_salt (void)
 	strcat (result, l64a (tv.tv_usec));
 	strcat (result, l64a (tv.tv_sec + getpid () + clock ()));

-	if (strlen (result) > 3 + 8)	/* magic+salt */
-		result[11] = '\0';
+	if (strlen (result) > max_salt_len)	/* magic+salt */
+		result[max_salt_len] = '\0';

 	return result;
 }
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@ -243,14 +243,15 @@ int main (int argc, char **argv)
 		newpwd = cp;
 		if (!eflg) {
 			if (md5flg) {
-				char tmp[12];
-				char salt[15] = "";
+				char md5salt[12] = "$1$";
+				char *salt = crypt_make_salt ();

-				strcat (tmp, crypt_make_salt ());
-				if (!strncmp (tmp, "$1$", 3))
-					strcat (salt, "$1$");
-				strcat (salt, tmp);
-				cp = pw_encrypt (newpwd, salt);
+				if (strncmp (salt, "$1$", 3) == 0) {
+					strncpy (md5salt, salt, 11);
+				} else {
+					strncat (md5salt, salt, 8);
+				}
+				cp = pw_encrypt (newpwd, md5salt);
 			} else
 				cp = pw_encrypt (newpwd, crypt_make_salt ());
 		}
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@ -239,13 +239,14 @@ int main (int argc, char **argv)
 		newpwd = cp;
 		if (!eflg) {
 			if (md5flg) {
-				char tmp[12];
-				char salt[15] = "";
+				char md5salt[12] = "$1$";
+				char *salt = crypt_make_salt ();

-				strcat (tmp, crypt_make_salt ());
-				if (!strncmp (tmp, "$1$", 3))
-					strcat (salt, "$1$");
-				strcat (salt, tmp);
+				if (strncmp (salt, "$1$", 3) == 0) {
+					strncpy (md5salt, salt, 11);
+				} else {
+					strncat (md5salt, salt, 8);
+				}
 				cp = pw_encrypt (newpwd, salt);
 			} else
 				cp = pw_encrypt (newpwd, crypt_make_salt ());