diff options
| author | Renat Nurgaliyev <impleman@gmail.com> | 2020-11-15 15:52:38 +0100 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2020-11-16 17:37:54 +0100 |
| commit | c8d4e52b70c2f77590dd155616a6d7955029de27 (patch) | |
| tree | e14847811c119fd998bf5483ff80e903fa168d05 | |
| parent | e24d1f39e763615a9cd7aea9c8fc2a4a235048a7 (diff) | |
| download | openvswitch-c8d4e52b70c2f77590dd155616a6d7955029de27.tar.gz | |
sha1: Fix algorithm for data bigger than 512 megabytes.
In modern systems, size_t is 64 bits. There is a 32 bit overflow check
in sha1_update(), which will not work correctly, because compiler will
do an automatic cast to 64 bits, since size_t type variable is in the
expression. We do want however to lose data, since this is the whole
idea of this overflow check.
Because of this, computation of SHA-1 checksum will always be incorrect
for any data, that is bigger than 512 megabytes, which in bits is the
boundary of 32 bits integer.
In practice it means that any OVSDB transaction, bigger or equal to 512
megabytes, is considered corrupt and ovsdb-server will refuse to work
with the database file. This is especially critical for OVN southbound
database, since it tends to grow rapidly.
Fixes: 5eccf359391f ("Replace SHA-1 library with one that is clearly licensed.")
Signed-off-by: Renat Nurgaliyev <impleman@gmail.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | lib/sha1.c | 4 | ||||
| -rw-r--r-- | lib/sha1.h | 4 |
3 files changed, 6 insertions, 4 deletions
@@ -1,5 +1,7 @@ v2.10.6 - xx xxx xxxx --------------------- + - OVSDB: + * Fixed SHA-1 hash computation for databases larger than 512 MB. v2.10.5 - 30 Jul 2020 --------------------- diff --git a/lib/sha1.c b/lib/sha1.c index 4f48ef210..87360d9cd 100644 --- a/lib/sha1.c +++ b/lib/sha1.c @@ -197,7 +197,7 @@ sha1_init(struct sha1_ctx *sha_info) * inputLen: The length of the input buffer. */ void -sha1_update(struct sha1_ctx *ctx, const void *buffer_, size_t count) +sha1_update(struct sha1_ctx *ctx, const void *buffer_, uint32_t count) { const uint8_t *buffer = buffer_; unsigned int i; @@ -274,7 +274,7 @@ sha1_final(struct sha1_ctx *ctx, uint8_t digest[SHA1_DIGEST_SIZE]) /* Computes the hash of 'n' bytes in 'data' into 'digest'. */ void -sha1_bytes(const void *data, size_t n, uint8_t digest[SHA1_DIGEST_SIZE]) +sha1_bytes(const void *data, uint32_t n, uint8_t digest[SHA1_DIGEST_SIZE]) { struct sha1_ctx ctx; diff --git a/lib/sha1.h b/lib/sha1.h index eda265dfc..a635ff768 100644 --- a/lib/sha1.h +++ b/lib/sha1.h @@ -45,9 +45,9 @@ struct sha1_ctx { }; void sha1_init(struct sha1_ctx *); -void sha1_update(struct sha1_ctx *, const void *, size_t); +void sha1_update(struct sha1_ctx *, const void *, uint32_t size); void sha1_final(struct sha1_ctx *, uint8_t digest[SHA1_DIGEST_SIZE]); -void sha1_bytes(const void *, size_t, uint8_t digest[SHA1_DIGEST_SIZE]); +void sha1_bytes(const void *, uint32_t size, uint8_t digest[SHA1_DIGEST_SIZE]); #define SHA1_FMT \ "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" \ |