[core] memeq compare rounded to 64, not next 1M

3 years ago · e47ea5e2b0
1 changed files with 1 additions and 1 deletions
--- a/src/http_auth.c
+++ b/src/http_auth.c
@ -57,7 +57,7 @@ int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b,
     * (similar to mod_secdownload.c:const_time_memeq()) */
    /* round to next multiple of 64 to avoid potentially leaking exact
     * password length when subject to high precision timing attacks) */
-    size_t lim = ((alen >= blen ? alen : blen) + 0xFFFFF) & ~0xFFFFF;
+    size_t lim = ((alen >= blen ? alen : blen) + 0x3F) & ~0x3F;
    int diff = 0;
    for (size_t i = 0, j = 0; lim; --lim) {
        diff |= (a[i] ^ b[j]);