Re: Tomcat 6 org.apache.catalina.session.ManagerBase issue - Christopher Schultz - org.apache.tomcat.dev

6 messages in org.apache.tomcat.devRe: Tomcat 6 org.apache.catalina.ses...

From	Sent On	Attachments
Andras Rozsa	Apr 8, 2012 7:04 pm
Christopher Schultz	Apr 9, 2012 10:18 am
Christopher Schultz	Apr 9, 2012 10:21 am
Caldarale, Charles R	Apr 9, 2012 10:23 am
Christopher Schultz	Apr 9, 2012 10:35 am
Andras Rozsa	Apr 9, 2012 10:46 am

Subject:	Re: Tomcat 6 org.apache.catalina.session.ManagerBase issue
From:	Christopher Schultz (chr...@christopherschultz.net)
Date:	Apr 9, 2012 10:35:34 am
List:	org.apache.tomcat.dev

Chuck,

On 4/9/12 1:23 PM, Caldarale, Charles R wrote:

From: Christopher Schultz [mailto:chr...@christopherschultz.net] Subject: Re: Tomcat 6 org.apache.catalina.session.ManagerBase issue

Line 567: long update = ((byte) entropy[i]) << ((i % 8) * 8);

2. 'i' is reduced by the modulus operator to 0..7

And then multiplied by 8.

3. Thus, the value of entropy[i] is never left-shifted more than 7 bits

No, it's left shifted between 0 and 56 bits (maintaining byte alignment). Information is lost.

Rrr. Duh. In fact, the upper 3 bytes of the entropy are lost, which is quite a bit. This definitely should be cast to long at some point before the << occurs.

Andros, please log a bug report in Bugzilla: https://issues.apache.org/bugzilla/

-chris

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets