"GOT", but the "O" is a cute, smiling sun Index | Thread

From:
"Todd C. Miller" <millert@openbsd.org>
Subject:
Re: fix dubious checksum failures in got-fetch-pack
To:
Stefan Sperling <stsp@stsp.name>
Cc:
gameoftrees@openbsd.org
Date:
Sat, 29 Oct 2022 15:35:42 -0600

Download raw body.

On Sat, 29 Oct 2022 23:27:34 +0200, Stefan Sperling wrote:

> Using a work-in-progress regression test suite for gotd, I can trigger
> occasional checksum failures in got-fetch-pack while cloning a repository.
>
> This is a long-standing bug in got-fetch-pack, where only one byte stored
> in the potential sha1 checksum buffer is moved (copied) up, instead of
> shifting all of the remaining bytes up by one position, as was intended. 
> As a result, the checksum we end up computing for the pack file is incorrect.
>
> This can be triggered if the server is doing very short writes, and is
> probably rare enough with git-daemon/Github that we haven't seen it fail
> very often.

Your fix looks correct, I'm just not sure why you need to call
SHA1Update() and memmove() in a loop like this.  Can't you just
call SHA1Update() once?

 - todd