From: philsmd <philsmd@hashcat.net>
Date: Sat, 2 Apr 2016 16:05:08 +0000 (+0200)
Subject: fixed -m 10200 = Cram MD5 parser: check for NULL pointers ASAP, check base64 input... 
X-Git-Tag: v3.00-beta~156^2
X-Git-Url: https://www.flypig.org.uk/git/?p=hashcat.git;a=commitdiff_plain;h=b3dfd7057e6c5fe10c7385c662131e9a85dd7a48

fixed -m 10200 = Cram MD5 parser: check for NULL pointers ASAP, check base64 input length
---

diff --git a/docs/changes.txt b/docs/changes.txt
index 341c070..e1cd338 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -184,6 +184,10 @@ Type.: Bug
 File.: Host
 Desc.: Fixed some checks in the parser of -m 8900 = scrypt
 
+Type.: Bug
+File.: Host
+Desc.: Fixed some checks in the parser of -m 10200 = Cram MD5
+
 * changes v2.00 -> v2.01:
 
 Type.: Bug
diff --git a/src/shared.c b/src/shared.c
index 5543a10..7ee5520 100644
--- a/src/shared.c
+++ b/src/shared.c
@@ -16182,16 +16182,18 @@ int crammd5_parse_hash (char *input_buf, uint input_len, hash_t *hash_buf)
 
   char *hash_pos = strchr (salt_pos, '$');
 
-  uint salt_len = hash_pos - salt_pos;
-
   if (hash_pos == NULL) return (PARSER_SEPARATOR_UNMATCHED);
 
+  uint salt_len = hash_pos - salt_pos;
+
   hash_pos++;
 
   uint hash_len = input_len - 10 - salt_len - 1;
 
   // base64 decode salt
 
+  if (salt_len > 133) return (PARSER_SALT_LENGTH);
+
   u8 tmp_buf[100] = { 0 };
 
   salt_len = base64_decode (base64_to_int, (const u8 *) salt_pos, salt_len, tmp_buf);
@@ -16204,12 +16206,16 @@ int crammd5_parse_hash (char *input_buf, uint input_len, hash_t *hash_buf)
 
   salt->salt_len = salt_len;
 
-  // base64 decode salt
+  // base64 decode hash
+
+  if (hash_len > 133) return (PARSER_HASH_LENGTH);
 
   memset (tmp_buf, 0, sizeof (tmp_buf));
 
   hash_len = base64_decode (base64_to_int, (const u8 *) hash_pos, hash_len, tmp_buf);
 
+  if (hash_len < 32 + 1) return (PARSER_SALT_LENGTH);
+
   uint user_len = hash_len - 32;
 
   const u8 *tmp_hash = tmp_buf + user_len;