Too long password causes crash with OverflowError

mvondracek / PA193_mnemonic_Slytherin

BIP39 Mnemonic Phrase Generator and Verifier

0 stars 3 forks source link

Too long password causes crash with OverflowError #29

Closed mvondracek closed 4 years ago

mvondracek commented 4 years ago

Password length is not checked. If our program/package is provided malicious too long password, it crashes due to OverflowError: salt is too long. in pbkdf2_hmac during _generate_seed.

Added test in 49b7e900914215925360441919975e285f61ed04, which will be failing until the bug is fixed.

Branch fix-_generate_seed_invalid-password-too-long.

mvondracek commented 4 years ago

I might also raise MemoryError depending on how much free memory your computer has. But you cannot effectively handle MemoryError and continue with computation of seed. MemoryError is handled at cli entry point.

We should limit password to some reasonable length, as we already discussed in https://github.com/mvondracek/PA193_mnemonic_Slytherin/issues/12#issuecomment-544189651.

mvondracek commented 4 years ago

Updated the branch from dev and fixed conflicts.

mvondracek commented 4 years ago

Tests related to this bug are marked in code with @unittest.expectedFailure # BUG #29

mvondracek commented 4 years ago

@lsolodkova, any updates?

mvondracek commented 4 years ago

Fixed in 4b0335d17d162059aac942ecec757b2aa420ba11. Fix based on 25d35deb6a9e962f465ba1b5986c091c587bd803,