lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 11 Mar 2022 15:23:39 +0800
From:   Chen Jingwen <chenjingwen6@...wei.com>
To:     Chen Jingwen <chenjingwen6@...wei.com>,
        "linux-kernel @ vger . kernel . org" <linux-kernel@...r.kernel.org>,
        "keyrings @ vger . kernel . org" <keyrings@...r.kernel.org>,
        Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>,
        David Howells <dhowells@...hat.com>,
        Mimi Zohar <zohar@...ux.vnet.ibm.com>,
        James Morris <jmorris@...ei.org>,
        "Serge E . Hallyn" <serge@...lyn.com>
Subject: strncmp might be wrong used in insert-sys-cert.c

Hi, All.

When I scanned scripts/insert-sys-cert.c, I encounter that

>	    strncmp(cert_sym.content, cert, cert_size) == 0) {
>		warn("Certificate was already inserted.\n");
>		exit(EXIT_SUCCESS);

strncmp will stop if it sees b'\0'.  I think should use memcmp here.
For example, we have two _different_ certificates,
one was already inserted and another one is being processed by insert-sys-cert.
In case both certificates start with the same and follow a '\0',
another new one won't be overridden, which is not expected, right?

Chen Jingwen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ