You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@apr.apache.org by bu...@apache.org on 2008/08/25 10:25:22 UTC

DO NOT REPLY [Bug 45679] SHA1 passwords starting with {SHA} don't work and cause a minor buffer overrun

https://issues.apache.org/bugzilla/show_bug.cgi?id=45679


Bojan Smojver <bo...@rexursive.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bojan@rexursive.com




--- Comment #1 from Bojan Smojver <bo...@rexursive.com>  2008-08-25 01:25:21 PST ---
I don't think this patch is correct. I think we should actually do this (note
that there is a tab in the first patched line, hence the diff):

Index: crypto/apr_sha1.c
===================================================================
--- crypto/apr_sha1.c   (revision 685796)
+++ crypto/apr_sha1.c   (working copy)
@@ -352,7 +352,8 @@
     apr_byte_t digest[APR_SHA1_DIGESTSIZE];

     if (strncmp(clear, APR_SHA1PW_ID, APR_SHA1PW_IDLEN) == 0) {
-       clear += APR_SHA1PW_IDLEN;
+        clear += APR_SHA1PW_IDLEN;
+        len -= APR_SHA1PW_IDLEN;
     }

     apr_sha1_init(&context);

Does the above work for you?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org