From e47ea5e2b0e797eb0cef705a4bbc1181e3ede332 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Mon, 7 Jan 2019 03:05:31 -0500 Subject: [PATCH] [core] memeq compare rounded to 64, not next 1M --- src/http_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http_auth.c b/src/http_auth.c index dbc1af75..035922b0 100644 --- a/src/http_auth.c +++ b/src/http_auth.c @@ -57,7 +57,7 @@ int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b, * (similar to mod_secdownload.c:const_time_memeq()) */ /* round to next multiple of 64 to avoid potentially leaking exact * password length when subject to high precision timing attacks) */ - size_t lim = ((alen >= blen ? alen : blen) + 0xFFFFF) & ~0xFFFFF; + size_t lim = ((alen >= blen ? alen : blen) + 0x3F) & ~0x3F; int diff = 0; for (size_t i = 0, j = 0; lim; --lim) { diff |= (a[i] ^ b[j]);