Mark Karpilovskij wrote:
> If only a single call to SipHash_Update is performed or if the size of
> processed data is a multiple of sizeof(ctx->buf), this bug does nothing.
> However when we performed several updates of various lengths, the data
> written to ctx->buf were too long and the call to memcpy overwrote other
> data, which led to various unexpected behavior.
I concur. Here's a diff for review.
Index: siphash.c
===================================================================
RCS file: /cvs/src/lib/libc/hash/siphash.c,v
retrieving revision 1.6
diff -u -p -r1.6 siphash.c
--- siphash.c 12 Apr 2017 17:41:49 -0000 1.6
+++ siphash.c 22 Dec 2017 01:13:59 -0000
@@ -104,7 +104,7 @@ SipHash_Update(SIPHASH_CTX *ctx, int rc,
}
if (len > 0)
- memcpy(&ctx->buf[used], ptr, len);
+ memcpy(ctx->buf, ptr, len);
}
DEF_WEAK(SipHash_Update);
