github/hashcat
1
Fork 0
mirror of https://github.com/hashcat/hashcat synced 2024-11-28 05:21:38 +01:00
Code Releases Activity

Merge pull request #3233 from philsmd/philsmd-rp-overflows

Browse Source 
prevent further integer overflows in rp.c
This commit is contained in:
Jens Steube 2022-03-20 20:42:50 +01:00 committed by GitHub
commit 881d336a78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/rp.c
View File

@ -770,9 +770,14 @@ int kernel_rules_load (hashcat_ctx_t *hashcat_ctx, kernel_rule_t **out_buf, u32
{ {
rule_len = (u32) fgetl (&fp, rule_buf, HCBUFSIZ_LARGE); rule_len = (u32) fgetl (&fp, rule_buf, HCBUFSIZ_LARGE);
if (rule_line >= 0xffffffff) if (rule_line == (u32) -1)
{ {
event_log_error (hashcat_ctx, "Unsupported number of lines in rule file %s", rp_file); event_log_error (hashcat_ctx, "Unsupported number of lines in rule file %s.", rp_file);
hcfree (all_kernel_rules_cnt);
hcfree (all_kernel_rules_buf);
hcfree (rule_buf);
return -1; return -1;
} }
@ -787,7 +792,21 @@ int kernel_rules_load (hashcat_ctx_t *hashcat_ctx, kernel_rule_t **out_buf, u32
{ {
kernel_rules_buf = (kernel_rule_t *) hcrealloc (kernel_rules_buf, kernel_rules_avail * sizeof (kernel_rule_t), INCR_RULES * sizeof (kernel_rule_t)); kernel_rules_buf = (kernel_rule_t *) hcrealloc (kernel_rules_buf, kernel_rules_avail * sizeof (kernel_rule_t), INCR_RULES * sizeof (kernel_rule_t));
const u32 kernel_rules_avail_old = kernel_rules_avail;
kernel_rules_avail += INCR_RULES; kernel_rules_avail += INCR_RULES;
if (kernel_rules_avail < kernel_rules_avail_old) // u32 overflow
{
event_log_error (hashcat_ctx, "Unsupported number of rules in rule file %s.", rp_file);
hcfree (all_kernel_rules_cnt);
hcfree (all_kernel_rules_buf);
hcfree (rule_buf);
return -1;
}
} }
char in[RP_PASSWORD_SIZE]; char in[RP_PASSWORD_SIZE];
@ -814,9 +833,14 @@ int kernel_rules_load (hashcat_ctx_t *hashcat_ctx, kernel_rule_t **out_buf, u32
continue; continue;
} }
if (kernel_rules_cnt >= 0xffffffff) if (kernel_rules_cnt == (u32) -1)
{ {
event_log_error (hashcat_ctx, "Unsupported number of rules in file %s", rp_file); event_log_error (hashcat_ctx, "Unsupported number of rules in rule file %s.", rp_file);
hcfree (all_kernel_rules_cnt);
hcfree (all_kernel_rules_buf);
hcfree (rule_buf);
return -1; return -1;
} }
@ -844,8 +868,26 @@ int kernel_rules_load (hashcat_ctx_t *hashcat_ctx, kernel_rule_t **out_buf, u32
for (u32 i = 0; i < user_options->rp_files_cnt; i++) for (u32 i = 0; i < user_options->rp_files_cnt; i++)
{ {
const u32 kernel_rules_cnt_old = kernel_rules_cnt;
kernel_rules_cnt *= all_kernel_rules_cnt[i]; kernel_rules_cnt *= all_kernel_rules_cnt[i];
if (kernel_rules_cnt < kernel_rules_cnt_old) // u32 overflow ?
{
if (all_kernel_rules_cnt[i] > 0) // at least one "valid" rule
{
event_log_error (hashcat_ctx, "Unsupported number of rules used in rule chaining.");
hcfree (all_kernel_rules_cnt);
hcfree (all_kernel_rules_buf);
hcfree (rule_buf);
hcfree (repeats);
return -1;
}
}
repeats[i + 1] = kernel_rules_cnt; repeats[i + 1] = kernel_rules_cnt;
} }