tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 6 org.apache.catalina.session.ManagerBase issue
Date Mon, 09 Apr 2012 17:35:57 GMT
Chuck,

On 4/9/12 1:23 PM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net] 
>> Subject: Re: Tomcat 6 org.apache.catalina.session.ManagerBase issue
> 
>> Line 567: long update = ((byte) entropy[i]) << ((i % 8) * 8);
> 
>> 2. 'i' is reduced by the modulus operator to 0..7
> 
> And then multiplied by 8.
> 
>> 3. Thus, the value of entropy[i] is never left-shifted more than 7 bits
> 
> No, it's left shifted between 0 and 56 bits (maintaining byte
> alignment).  Information is lost.

Rrr. Duh. In fact, the upper 3 bytes of the entropy are lost, which is
quite a bit. This definitely should be cast to long at some point before
the << occurs.

Andros, please log a bug report in Bugzilla:
https://issues.apache.org/bugzilla/

-chris


Mime
View raw message