|
|
c79d99 |
diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c
|
|
|
c79d99 |
--- cracklib-2.9.6/lib/fascist.c.overflow 2015-10-23 16:58:38.403319225 +0200
|
|
|
c79d99 |
+++ cracklib-2.9.6/lib/fascist.c 2016-12-08 17:28:41.490101358 +0100
|
|
|
c79d99 |
@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
|
|
|
c79d99 |
char gbuffer[STRINGSIZE];
|
|
|
c79d99 |
char tbuffer[STRINGSIZE];
|
|
|
c79d99 |
char *uwords[STRINGSIZE];
|
|
|
c79d99 |
- char longbuffer[STRINGSIZE * 2];
|
|
|
c79d99 |
+ char longbuffer[STRINGSIZE];
|
|
|
c79d99 |
|
|
|
c79d99 |
if (gecos == NULL)
|
|
|
c79d99 |
gecos = "";
|
|
|
c79d99 |
@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
|
|
|
c79d99 |
{
|
|
|
c79d99 |
for (i = 0; i < j; i++)
|
|
|
c79d99 |
{
|
|
|
c79d99 |
- strcpy(longbuffer, uwords[i]);
|
|
|
c79d99 |
- strcat(longbuffer, uwords[j]);
|
|
|
c79d99 |
-
|
|
|
c79d99 |
- if (GTry(longbuffer, password))
|
|
|
c79d99 |
+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
|
|
|
c79d99 |
{
|
|
|
c79d99 |
- return _("it is derived from your password entry");
|
|
|
c79d99 |
- }
|
|
|
c79d99 |
-
|
|
|
c79d99 |
- strcpy(longbuffer, uwords[j]);
|
|
|
c79d99 |
- strcat(longbuffer, uwords[i]);
|
|
|
c79d99 |
+ strcpy(longbuffer, uwords[i]);
|
|
|
c79d99 |
+ strcat(longbuffer, uwords[j]);
|
|
|
c79d99 |
|
|
|
c79d99 |
- if (GTry(longbuffer, password))
|
|
|
c79d99 |
- {
|
|
|
c79d99 |
- return _("it's derived from your password entry");
|
|
|
c79d99 |
+ if (GTry(longbuffer, password))
|
|
|
c79d99 |
+ {
|
|
|
c79d99 |
+ return _("it is derived from your password entry");
|
|
|
c79d99 |
+ }
|
|
|
c79d99 |
+
|
|
|
c79d99 |
+ strcpy(longbuffer, uwords[j]);
|
|
|
c79d99 |
+ strcat(longbuffer, uwords[i]);
|
|
|
c79d99 |
+
|
|
|
c79d99 |
+ if (GTry(longbuffer, password))
|
|
|
c79d99 |
+ {
|
|
|
c79d99 |
+ return _("it's derived from your password entry");
|
|
|
c79d99 |
+ }
|
|
|
c79d99 |
}
|
|
|
c79d99 |
|
|
|
c79d99 |
- longbuffer[0] = uwords[i][0];
|
|
|
c79d99 |
- longbuffer[1] = '\0';
|
|
|
c79d99 |
- strcat(longbuffer, uwords[j]);
|
|
|
c79d99 |
-
|
|
|
c79d99 |
- if (GTry(longbuffer, password))
|
|
|
c79d99 |
+ if (strlen(uwords[j]) < STRINGSIZE - 1)
|
|
|
c79d99 |
{
|
|
|
c79d99 |
- return _("it is derivable from your password entry");
|
|
|
c79d99 |
+ longbuffer[0] = uwords[i][0];
|
|
|
c79d99 |
+ longbuffer[1] = '\0';
|
|
|
c79d99 |
+ strcat(longbuffer, uwords[j]);
|
|
|
c79d99 |
+
|
|
|
c79d99 |
+ if (GTry(longbuffer, password))
|
|
|
c79d99 |
+ {
|
|
|
c79d99 |
+ return _("it is derivable from your password entry");
|
|
|
c79d99 |
+ }
|
|
|
c79d99 |
}
|
|
|
c79d99 |
|
|
|
c79d99 |
- longbuffer[0] = uwords[j][0];
|
|
|
c79d99 |
- longbuffer[1] = '\0';
|
|
|
c79d99 |
- strcat(longbuffer, uwords[i]);
|
|
|
c79d99 |
-
|
|
|
c79d99 |
- if (GTry(longbuffer, password))
|
|
|
c79d99 |
+ if (strlen(uwords[i]) < STRINGSIZE - 1)
|
|
|
c79d99 |
{
|
|
|
c79d99 |
- return _("it's derivable from your password entry");
|
|
|
c79d99 |
+ longbuffer[0] = uwords[j][0];
|
|
|
c79d99 |
+ longbuffer[1] = '\0';
|
|
|
c79d99 |
+ strcat(longbuffer, uwords[i]);
|
|
|
c79d99 |
+
|
|
|
c79d99 |
+ if (GTry(longbuffer, password))
|
|
|
c79d99 |
+ {
|
|
|
c79d99 |
+ return _("it's derivable from your password entry");
|
|
|
c79d99 |
+ }
|
|
|
c79d99 |
}
|
|
|
c79d99 |
}
|
|
|
c79d99 |
}
|
|
|
c79d99 |
diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c
|
|
|
c79d99 |
--- cracklib-2.9.6/lib/rules.c.overflow 2015-10-23 16:58:38.000000000 +0200
|
|
|
c79d99 |
+++ cracklib-2.9.6/lib/rules.c 2016-12-08 18:03:27.041941297 +0100
|
|
|
c79d99 |
@@ -158,6 +158,8 @@ Pluralise(string, area) /* returns a po
|
|
|
c79d99 |
register int length;
|
|
|
c79d99 |
length = strlen(string);
|
|
|
c79d99 |
strcpy(area, string);
|
|
|
c79d99 |
+ if (length > STRINGSIZE - 3) /* we add 2 characters at worst */
|
|
|
c79d99 |
+ return (area);
|
|
|
c79d99 |
|
|
|
c79d99 |
if (!Suffix(string, "ch") ||
|
|
|
c79d99 |
!Suffix(string, "ex") ||
|
|
|
c79d99 |
@@ -462,11 +464,11 @@ Mangle(input, control, area) /* returns
|
|
|
c79d99 |
Pluralise(area2, area);
|
|
|
c79d99 |
break;
|
|
|
c79d99 |
case RULE_REFLECT:
|
|
|
c79d99 |
- strcat(area, Reverse(area, area2));
|
|
|
c79d99 |
+ strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1);
|
|
|
c79d99 |
break;
|
|
|
c79d99 |
case RULE_DUPLICATE:
|
|
|
c79d99 |
strcpy(area2, area);
|
|
|
c79d99 |
- strcat(area, area2);
|
|
|
c79d99 |
+ strncat(area, area2, STRINGSIZE - strlen(area) - 1);
|
|
|
c79d99 |
break;
|
|
|
c79d99 |
case RULE_GT:
|
|
|
c79d99 |
if (!ptr[1])
|
|
|
c79d99 |
@@ -514,7 +516,8 @@ Mangle(input, control, area) /* returns
|
|
|
c79d99 |
} else
|
|
|
c79d99 |
{
|
|
|
c79d99 |
area2[0] = *(++ptr);
|
|
|
c79d99 |
- strcpy(area2 + 1, area);
|
|
|
c79d99 |
+ strncpy(area2 + 1, area, STRINGSIZE - 2);
|
|
|
c79d99 |
+ area2[STRINGSIZE - 1] = '\0';
|
|
|
c79d99 |
strcpy(area, area2);
|
|
|
c79d99 |
}
|
|
|
c79d99 |
break;
|
|
|
c79d99 |
@@ -528,8 +531,10 @@ Mangle(input, control, area) /* returns
|
|
|
c79d99 |
register char *string;
|
|
|
c79d99 |
string = area;
|
|
|
c79d99 |
while (*(string++));
|
|
|
c79d99 |
- string[-1] = *(++ptr);
|
|
|
c79d99 |
- *string = '\0';
|
|
|
c79d99 |
+ if (string < area + STRINGSIZE) {
|
|
|
c79d99 |
+ string[-1] = *(++ptr);
|
|
|
c79d99 |
+ *string = '\0';
|
|
|
c79d99 |
+ }
|
|
|
c79d99 |
}
|
|
|
c79d99 |
break;
|
|
|
c79d99 |
case RULE_EXTRACT:
|
|
|
c79d99 |
@@ -600,6 +605,10 @@ Mangle(input, control, area) /* returns
|
|
|
c79d99 |
}
|
|
|
c79d99 |
p1 = area;
|
|
|
c79d99 |
p2 = area2;
|
|
|
c79d99 |
+ if (strlen(p1) > STRINGSIZE - 2) {
|
|
|
c79d99 |
+ /* truncate */
|
|
|
c79d99 |
+ p1[STRINGSIZE - 2] = '\0';
|
|
|
c79d99 |
+ }
|
|
|
c79d99 |
while (i && *p1)
|
|
|
c79d99 |
{
|
|
|
c79d99 |
i--;
|