[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

md5sum --check: ignore invalid lines

From: Jim Meyering
Subject: md5sum --check: ignore invalid lines
Date: Sat, 19 Apr 2008 00:33:27 +0200

md5sum --check would fail to recognize as invalid a line with one or more
NUL bytes in the hex digit digest string.  As such, it would unnecessarily
open the named file and issue a diagnostic (this is the bug) about the
mismatch for an improperly formatted input line.  For example:

    $ perl -e 'print "a\0zzzzzzzzzzzzzzzzzzzzzzzzzzzzzz  k\n"' > k
    $ /usr/bin/md5sum -c k
    k: FAILED
    /usr/bin/md5sum: WARNING: 1 of 1 computed checksum did NOT match
    [Exit 1]

Now, it ignores the invalid line:

    $ md5sum -c k
    md5sum: k: no properly formatted MD5 checksum lines found
    [Exit 1]

Here's the fix:

        md5sum -c: ignore a line with a NUL byte among checksum hex digits
        * src/md5sum.c (hex_digits): Require that all "digest_hex_bytes"
        be hexadecimal digits, not just those before the first NUL byte.
        This bug dates back to the original version:
        * tests/misc/md5sum (nul-in-cksum): Test for the above.
        * NEWS [Bug fixes]: Mention this.
        Prompted by a report from Flóki Pálsson in

Signed-off-by: Jim Meyering <address@hidden>
 NEWS              |    7 +++++++
 src/md5sum.c      |    7 +++++--
 tests/misc/md5sum |    8 ++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 3a584e9..3cc7151 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,13 @@ GNU coreutils NEWS                                    -*- 
outline -*-
   sha1sum, sha224sum, sha384sum, and sha512sum are affected, too.
   [bug introduced in coreutils-5.1.0]

+  md5sum -c would accept a NUL-containing checksum string like "abcd\0..."
+  and would unnecessarily read and compute the checksum of the named file,
+  and then compare that checksum to the invalid one: guaranteed to fail.
+  Now, it recognizes that the line is not valid and skips it.
+  sha1sum, sha224sum, sha384sum, and sha512sum are affected, too.
+  [bug present in the original version, in coreutils-4.5.1, 1995]
   "mkdir -Z x dir" no longer segfaults when diagnosing invalid context "x"
   mkfifo and mknod would fail similarly.  Now they're fixed.

diff --git a/src/md5sum.c b/src/md5sum.c
index ba762d1..f83a7b1 100644
--- a/src/md5sum.c
+++ b/src/md5sum.c
@@ -343,16 +343,19 @@ split_3 (char *s, size_t s_len,
   return true;

+/* Return true if S is a NUL-terminated string of DIGEST_HEX_BYTES hex digits.
+   Otherwise, return false.  */
 static bool
 hex_digits (unsigned char const *s)
-  while (*s)
+  unsigned int i;
+  for (i = 0; i < digest_hex_bytes; i++)
       if (!isxdigit (*s))
         return false;
-  return true;
+  return *s == '\0';

 /* An interface to the function, DIGEST_STREAM.
diff --git a/tests/misc/md5sum b/tests/misc/md5sum
index 25069fd..474656f 100755
--- a/tests/misc/md5sum
+++ b/tests/misc/md5sum
@@ -66,6 +66,14 @@ my @Tests =
                                {AUX=> {f=> 'bar'}}, {EXIT=> 1}],
      ['bsd-segv', '--check', {IN=> {'z' => "MD5 ("}}, {EXIT=> 1},
       {ERR=> "$prog: z: no properly formatted MD5 checksum lines found\n"}],
+     # Ensure that when there's a NUL byte among the checksum hex digits
+     # we detect the invalid formatting and don't even open the file.
+     # Up to coreutils-6.10, this would report:
+     #   h: FAILED
+     #   md5sum: WARNING: 1 of 1 computed checksum did NOT match
+     ['nul-in-cksum', '--check', {IN=> {'h'=>("\0"x32)."  h\n"}}, {EXIT=> 1},
+      {ERR=> "$prog: h: no properly formatted MD5 checksum lines found\n"}],

 # Insert the `--text' argument for each test.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]