From: "Todd C. Miller" <millert@openbsd.org>
Subject: Re: fix dubious checksum failures in got-fetch-pack
To: Stefan Sperling <stsp@stsp.name>
Cc: gameoftrees@openbsd.org
Date: Sat, 29 Oct 2022 15:35:42 -0600

On Sat, 29 Oct 2022 23:27:34 +0200, Stefan Sperling wrote:

> Using a work-in-progress regression test suite for gotd, I can trigger
> occasional checksum failures in got-fetch-pack while cloning a repository.
>
> This is a long-standing bug in got-fetch-pack, where only one byte stored
> in the potential sha1 checksum buffer is moved (copied) up, instead of
> shifting all of the remaining bytes up by one position, as was intended. 
> As a result, the checksum we end up computing for the pack file is incorrect.
>
> This can be triggered if the server is doing very short writes, and is
> probably rare enough with git-daemon/Github that we haven't seen it fail
> very often.

Your fix looks correct, I'm just not sure why you need to call
SHA1Update() and memmove() in a loop like this.  Can't you just
call SHA1Update() once?

 - todd