[PATCH] Avoid undefined behavior for hashes using XOF

Werner Koch wk at gnupg.org
Thu Mar 24 11:25:04 CET 2016

On Thu, 24 Mar 2016 00:29, peter at lekensteyn.nl said:

> While the functions could simply shortcircuit and return early, let's
> perform the hash calculations anyway such that the benchmarks can be
> run. Copying zero bytes is valid according to the documentation of
> gcry_md_hash_buffer{,s} as gcry_md_get_algo_dlen() returns 0.

Your code is now:

  if (md_digest_length (algo))
    memcpy (digest, md_read (h, algo), md_digest_length (algo));

By adding the condition you avoid calling md_read which would return
NULL in the case of SHAKE128.  So the UB seems to be that memcpy (foo,
NULL, 0) is not defined - impractical but obviously another gcc/clang

I would suggest not to test for md_digest_length but to

  const void *tmp = md_read (h, algo);
  if (tmp)
    memcpy (digest, tmp, md_digest_length (algo));

which uses the real cause for the condition.  

_gcry_md_hash_buffers should however return an error and not silently
ignore it.  Even if that means to adjust the tests ;-)



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list