| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 31 Dec 2006 08:55:28 -1000
From: Mitch Bradley <wmb@...mworks.com>
To: Pekka Enberg <penberg@...helsinki.fi>
CC: "OLPC Developer's List" <devel@...top.org>,
Linux Kernel ML <linux-kernel@...r.kernel.org>,
Jim Gettys <jg@...top.org>
Subject: Re: [PATCH] Open Firmware device tree virtual filesystem
I made all the changes Pekka suggested, except:
> + security = strncmp(propname, "security-", 9) == 0;
>> + len = 0;
>
> Redundant assignment, no?
>
>> + if (!security)
>> + (void)callofw("getproplen", 2, 1, node,
>> propname, &len);
>
That assignment turns out not to be redundant. If a security variable
is recognized, you want the length to be 0 so as not to expose the
password. In that case the following "getproplen" call won't be executed.
That logic was adapted from the existing file fs/proc/devtree.c . It
turns out that the code there has a bug: You really want to look for
just "security-password" ; there is no need to, and good reasons not to,
suppress the length of "security-mode" and "security-#badlogins". (Good
OFW implementations won't leak the password length anyway, so check is
only needed as a workaround).
I have rewritten the code for clarity and correctness thusly:
if (strcmp(propname, "security-password") == 0) {
len = 0; /* Don't leak password length */
} else {
callofw("getproplen", 2, 1, node, propname, &len);
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists