fix dubious checksum failures in got-fetch-pack

From:: "Todd C. Miller" <millert@openbsd.org>
Subject:: Re: fix dubious checksum failures in got-fetch-pack
To:: Stefan Sperling <stsp@stsp.name>
Cc:: gameoftrees@openbsd.org
Date:: Sat, 29 Oct 2022 15:35:42 -0600

Download raw body.

Thread

2022-10-29 21:27 Stefan Sperling:
fix dubious checksum failures in got-fetch-pack
- 2022-10-29 21:35 Todd C. Miller:
  fix dubious checksum failures in got-fetch-pack
- - 2022-10-30 07:19 Stefan Sperling:
    fix dubious checksum failures in got-fetch-pack
  - - 2022-10-30 14:13 Todd C. Miller:
      fix dubious checksum failures in got-fetch-pack

On Sat, 29 Oct 2022 23:27:34 +0200, Stefan Sperling wrote:

> Using a work-in-progress regression test suite for gotd, I can trigger
> occasional checksum failures in got-fetch-pack while cloning a repository.
>
> This is a long-standing bug in got-fetch-pack, where only one byte stored
> in the potential sha1 checksum buffer is moved (copied) up, instead of
> shifting all of the remaining bytes up by one position, as was intended. 
> As a result, the checksum we end up computing for the pack file is incorrect.
>
> This can be triggered if the server is doing very short writes, and is
> probably rare enough with git-daemon/Github that we haven't seen it fail
> very often.

Your fix looks correct, I'm just not sure why you need to call
SHA1Update() and memmove() in a loop like this.  Can't you just
call SHA1Update() once?

 - todd

2022-10-29 21:27 Stefan Sperling:
fix dubious checksum failures in got-fetch-pack
- 2022-10-29 21:35 Todd C. Miller:
  fix dubious checksum failures in got-fetch-pack
- - 2022-10-30 07:19 Stefan Sperling:
    fix dubious checksum failures in got-fetch-pack
  - - 2022-10-30 14:13 Todd C. Miller:
      fix dubious checksum failures in got-fetch-pack