terryl@tekcrl.UUCP (11/12/86)
Below is an excerpt from the function encrypt() found in the file named in the Subject: line. /* * Initial permutation, */ static char IP[] = { 58,50,42,34,26,18,10, 2, 60,52,44,36,28,20,12, 4, 62,54,46,38,30,22,14, 6, 64,56,48,40,32,24,16, 8, 57,49,41,33,25,17, 9, 1, 59,51,43,35,27,19,11, 3, 61,53,45,37,29,21,13, 5, 63,55,47,39,31,23,15, 7, }; /* * Final permutation, FP = IP^(-1) */ static char FP[] = { 40, 8,48,16,56,24,64,32, 39, 7,47,15,55,23,63,31, 38, 6,46,14,54,22,62,30, 37, 5,45,13,53,21,61,29, 36, 4,44,12,52,20,60,28, 35, 3,43,11,51,19,59,27, 34, 2,42,10,50,18,58,26, 33, 1,41, 9,49,17,57,25, }; /* * The current block, divided into 2 halves. */ static char L[32], R[32]; static char tempL[32]; static char f[32]; /* * The payoff: encrypt a block. */ encrypt(block, edflag) char *block; { int i, ii; register t, j, k; /* * First, permute the bits in the input */ for (j=0; j<64; j++) L[j] = block[IP[j]-1]; /* * Many lines deleted for brevity....... */ /* * The final output * gets the inverse permutation of the very original. */ for (j=0; j<64; j++) block[j] = L[FP[j]-1]; } What's the bug you ask??? Well, in both for loops the static array L is is accessed from 0 to 63, directly in the first loop, and indirectly through the array FP in the second loop. But L was declared to only have 32 elements to begin with!!! This code is assuming that because the arrays L and R were declared one after the other, their final addresses (and hence the storage they occupy) will also be consecutive. Well, for most compilers, that's probably true, but that's a pretty bad assumption to be made (read we just got bit by this by our compiler). The fix is actually simple enough: just get rid of the static array R, make the static array L 64 elements long, and declare a pointer variable R in encrypt initialized with the address of the 32nd element of L, like so: register char *R = &L[32];