Re: Real-World Impact of Hash DoS in Lua

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Real-World Impact of Hash DoS in Lua
From: William Ahern <william@...>
Date: Thu, 19 Jan 2012 10:11:11 -0800

On Thu, Jan 19, 2012 at 01:47:16PM +0000, John Graham-Cumming wrote:
<snip>
> 1. Randomize the hash seed.  In the patch I developed I generate a new
> unsigned int using rand() and store it in the global state and then use it
> to initialize the hash value instead of the string length (as is done
> today).

rand() is anything but random. Likewise for random(). They're extremely
predictable. You're going to have to go platform specific. For OpenBSD or OS
X, for example, use arc4random(). For Linux use sysctl() and mib[] = {
CTL_KERN, KERN_RANDOM, RANDOM_UUID }.

Trying to use /dev random devices is broken for security conscious
applications that have already called chroot().

Follow-Ups:
- Re: Real-World Impact of Hash DoS in Lua, Natanael Copa
- Re: Real-World Impact of Hash DoS in Lua, Rob Kendrick

References:
- Real-World Impact of Hash DoS in Lua, John Graham-Cumming

Prev by Date: Re: Real-World Impact of Hash DoS in Lua
Next by Date: Re: Real-World Impact of Hash DoS in Lua
Previous by thread: Re: Real-World Impact of Hash DoS in Lua
Next by thread: Re: Real-World Impact of Hash DoS in Lua
Index(es):
- Date
- Thread