efl/eina: prevent denial of service on eina_hash.

Thanks goes to Thiago Macieira for sharing the issue. This is the result of the cross-desktop talk at fosdem. A lot more comming in the futur ! SVN revision: 83578
2013-02-04 07:52:56 +00:00 · 2013-02-04 07:52:56 +00:00 · 01dba3fbc0
parent 56120ef74d
commit 01dba3fbc0
5 changed files with 19 additions and 7 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+2013-02-04  Cedric Bail
+
+	* eina: counter measure denial of service on eina_hash function.
+
 2013-02-04  Jihoon Kim (jihoon)

        * edje entry : Support &, < and > in preedit string.
--- a/1
+++ b/1
@ -140,3 +140,4 @@ Fixes:
    * Fix evas gif loader to return the correct frame duration
    * Prevent a crash even if an invalid object is swallowed into an edje object.
    * Fix cache miss when active edje hash is empty.
+    * Prevent denial of service on eina_hash function.
--- a/src/lib/eina/eina_hash.c
+++ b/src/lib/eina/eina_hash.c
@ -1325,7 +1325,7 @@ eina_hash_iterator_tuple_new(const Eina_Hash *hash)
 EAPI int
 eina_hash_superfast(const char *key, int len)
 {
-   int hash = len, tmp;
+   int hash = len ^ eina_seed, tmp;
   int rem;

   rem = len & 3;
--- a/src/lib/eina/eina_inline_hash.x
+++ b/src/lib/eina/eina_inline_hash.x
@ -19,6 +19,8 @@
 #ifndef EINA_INLINE_HASH_X_
 #define EINA_INLINE_HASH_X_

+EAPI extern unsigned int eina_seed;
+
 /*
  djb2 hash algorithm was first reported by dan bernstein, and was the old
  default hash function for evas.
@ -26,7 +28,7 @@
 static inline int
 eina_hash_djb2(const char *key, int len)
 {
-   unsigned int hash_num = 5381;
+   unsigned int hash_num = 5381 ^ eina_seed;
   const unsigned char *ptr;

   if (!key) return 0;
@ -39,7 +41,7 @@ eina_hash_djb2(const char *key, int len)
 static inline int
 eina_hash_djb2_len(const char *key, int *plen)
 {
-   unsigned int hash_num = 5381;
+   unsigned int hash_num = 5381 ^ eina_seed;
   int len = 0;
   const unsigned char *ptr;

@ -64,7 +66,7 @@ eina_hash_int32(const unsigned int *pkey, int len)
   key ^= key >> 12;
   key += key << 2;
   key ^= key >> 4;
-   key *= 2057;
+   key *= 2057 ^ eina_seed;
   key ^= key >> 16;
   return key;
 }
@ -78,7 +80,7 @@ eina_hash_int64(const unsigned long int *pkey, int len)

   key  = ~key + (key << 18);
   key ^= key >> 31;
-   key *= 21;
+   key *= 21 ^ eina_seed;
   key ^= key >> 11;
   key += key << 6;
   key ^= key >> 22;
@ -107,8 +109,8 @@ eina_hash_murmur3(const char *key, int len)
   const unsigned char * data = (const unsigned char*)key;
   const int nblocks = len / 4;
   unsigned int h1 = 0, k1;
-   unsigned int c1 = 0xcc9e2d51;
-   unsigned int c2 = 0x1b873593;
+   unsigned int c1 = 0xcc9e2d51 ^ eina_seed;
+   unsigned int c2 = 0x1b873593 ^ eina_seed;
   const unsigned int * blocks = (const unsigned int *)(data + nblocks*4);
   int i;
   const unsigned char *tail;
--- a/src/lib/eina/eina_main.c
+++ b/src/lib/eina/eina_main.c
@ -99,6 +99,7 @@ static int _eina_log_dom = -1;

 EAPI Eina_Bool _eina_threads_activated = EINA_FALSE;
 EAPI Eina_Error EINA_ERROR_NOT_MAIN_LOOP = 0;
+EAPI unsigned int eina_seed = 0;

 static const char EINA_ERROR_NOT_MAIN_LOOP_STR[] = "Main loop thread check failed.";

@ -249,6 +250,10 @@ eina_init(void)
   if (EINA_LIKELY(_eina_main_count > 0))
      return ++_eina_main_count;

+   srand(time(NULL));
+   while (eina_seed == 0)
+     eina_seed = rand();
+
 #ifdef MT
   if ((getenv("EINA_MTRACE")) && (getenv("MALLOC_TRACE")))
     {