Flagstone Software

12728. FSProtect does not decode if string contains null.

If the string containing the MD5 password contains a null byte then the code decoding the string will terminate early and an FSCoderException will be thrown reporting an underflow error. If the password string is not null-terminated then the decoding the string will run past the end of the data structure and an overflow exception will be reported.

Root Cause

The root cause is the decode(FSCoder coder) method in FSProtect.java. It reads the password string expecting it to be terminated by a null. The correct way should be to decode a string with the correct number of bytes regardless of whether the string contain nulls.

Workaround?

There is no workaround however changing he source code is simple. In FSProtect.java change line 186 from:

password = coder.readString(length-2);

to force the full length to the string to be read:

password = coder.readString(length-2);

When will it be fixed?

This was fixed in Transform 2.1.6 released on 31-Dec-2007

Copyright 2001-2008, Flagstone Software. All rights reserved. Please read our Privacy Policy and Legal Notices.