User Name:


Forgot your password?
Vote for Us!
AFKMud 2.2.2
Mar 3, 2019 5:35 pm
By Samson
Nov 28, 2018 12:10 pm
By Keirath
First Immortal
Oct 12, 2018 2:02 pm
By GatewaySysop
Bug in do_climb( )
Jun 5, 2018 7:31 pm
By joeyfogas
question on overland code
May 31, 2018 12:03 pm
By joeyfogas
SmaugFUSS 1.9.3
Author: Various
Submitted by: Samson
AFKMud 2.2.2
Author: AFKMud Team
Submitted by: Samson
tintin++ ogg sound player script for linux
Author: Robert Smith
Submitted by: Vladaar
6Dragons ogg Soundpack
Author: Vladaar
Submitted by: Vladaar
6Dragons 4.4
Author: Vladaar
Submitted by: Vladaar
Users Online
CommonCrawl, Remcon, Google

Members: 1
Guests: 13
Newest Member
Today's Birthdays
tphegley (37)
Related Links
» SmaugMuds » Bugfix Lists » SWFOTE FUSS Bugfix List » [Bug] MD5 Password code has a...
Forum Rules | Mark all | Recent Posts

[Bug] MD5 Password code has a serious memory flaw
< Newer Topic :: Older Topic >

Pages:<< prev 1 next >>
Post is unread #1 Mar 16, 2005 9:56 pm   Last edited May 6, 2005 2:17 am by Samson
Go to the top of the page
Go to the bottom of the page

Black Hand
JoinedJan 1, 2002

Bug: MD5 Password code has a serious memory flaw.
Danger: Critical - Will invalidate passwords under random circumstances.
Found by: Gatewaysysop
Fixed by: Samson


comm.c, smaug_crypt


   strncpy( passwd, ( const char * )digest, 16 );

Change to:

   strncpy( passwd, ( const char * )digest, 15 );
   passwd[15] = '';

While this may seem innocuous, there is actually a nasty memory problem lurking here. For those who may know, it should be fairly obvious. For those who don't, strncpy does not NULL terminate a string if the results of it's operation will consume the size specified. In this case, 16 bytes. All 16 bytes are generally occupied by the md5 algorithm, so the string is never properly terminated. So for safety, only 15 bytes will now be copied, and the 15th position of the array set to NULL. This guarantees no problems. This fix will not cause your already saved passwords to be invalidated.

A bit of explanation. Gatewaysysop noticed that his password was getting corrupted with junk data that should not have been there. It was most noticeable when using the formpass command to test with, but it was also clobbering the password pointer on his character data as well. He does his development work on Cygwin, with a modified base. This bug apparently did not seem to phase my Linux install and everything was working fine. However in the course of our investigating this issue, it was found to affect the FUSS packages without being modified. The circumstances which brought forth the bug were rather strange. Apparently somehow when objects get grouped, they do weirdness in memory, because only when displaying grouped objects, like "A sharp knife (3)" will this bug manifest.

It struck me that in AFKMud I use the strlcpy, note the L, not N, and there are no issues with the code as is. I was not able to reproduce any of the known conditions that could cause this. I realized that it must have been due to non-terminated strings and decided to play a hunch and see what happened. Terminating the string stopped the problem. It is not known for sure if this bug would have affected other platforms, or even just other versions of GCC. No sense in chancing it.

Chalk one up to those rare conditions or something.
Pages:<< prev 1 next >>