On Tue, 4 Jul 2006, Matthew R. Dempsky wrote:

> encode_salt() in lib/libc/bcrypt.c writes a 7 byte prefix, a base64
> encoding of a 16 byte string (16 * 4/3 rounded up bytes), and then a
> null terminator into the gsalt global variable which only has enough
> room for the base64 encoding.

I think you are right... we must have been lucky. On my macppc, the
symbol is followed by some other temp storage:

0011d7f0 l O .bss 00001000 comp_maskr
0011e7f0 l O .bss 00000080 encrypted
0011e870 l O .bss 00000016 gsalt
0011e888 l O .bss 00000078 passwd.1
0011e900 l O .bss 000000ff buf.0

which happens to be the passwd from md5crypt.

Thanks for spotting this.

-Otot


>
> Index: lib/libc/crypt/bcrypt.c
> ================================================== =================
> RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v
> retrieving revision 1.20
> diff -p -u -r1.20 bcrypt.c
> --- lib/libc/crypt/bcrypt.c 3 Apr 2006 19:55:49 -0000 1.20
> +++ lib/libc/crypt/bcrypt.c 4 Jul 2006 06:23:23 -0000
> @@ -73,7 +73,7 @@ static void encode_base64(u_int8_t *, u_
> static void decode_base64(u_int8_t *, u_int16_t, u_int8_t *);
>
> static char encrypted[_PASSWORD_LEN];
> -static char gsalt[BCRYPT_MAXSALT * 4 / 3 + 1];
> +static char gsalt[7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1];
> static char error[] = ":";
>
> const static u_int8_t Base64Code[] =