(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ntlmssp.c) |
| |
| 303 | | | |
| 304 | | | memset(lm_password_upper, 0, sizeof(lm_password_upper)); |
| 305 | | | |
| 306 | | | |
| 307 | | | if (nt_password[0] != '\0') { |
| 308 | | | password_len = strlen(nt_password); |
| 309 | | | |
| 310 | | | if (password_len > 16) |
| 311 | | | password_len = 16; |
| 312 | | | for (i = 0; i < password_len; i++) { |
| 313 | | | lm_password_upper[i] = toupper(nt_password[i]); |
Negative Character Value
toupper() is invoked here with an argument of signed type char, but only has defined behavior for int arguments that are either representable as unsigned char or equal to the value of macro EOF (-1). - Casting the argument to unsigned char will avoid the undefined behavior.
In a number of libc implementations toupper() is implemented using lookup tables (arrays): passing in a negative value can result in a read underrun. |
|
| 314 | | | } |
| 315 | | | } |
| 316 | | | |
| 317 | | | crypt_des_ecb(lm_password_hash, lmhash_key, lm_password_upper, 1); |
| 318 | | | crypt_des_ecb(lm_password_hash+8, lmhash_key, lm_password_upper+7, 1); |
| 319 | | | |
| 320 | | | |
| 321 | | | ntlmssp_generate_challenge_response(lm_challenge_response, |
| 322 | | | lm_password_hash, challenge); |
| 323 | | | |
| |