From 33984e72abf6c3aa1fed37740d8731c96f68d6e2 Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sat, 24 Mar 2012 08:36:52 +0000 Subject: QHash security fix (1/2): add global QHash seed Algorithmic complexity attacks against hash tables have been known since 2003 (cf. [1, 2]), and they have been left unpatched for years until the 2011 attacks [3] against many libraries / (reference) implementations of programming languages. This patch adds a global integer, to be used as a seed for the hash function itself. The seed is randomly initialized the first time a QHash detaches from shared_null. Right now the seed is not used at all -- another patch will modify qHash to make use of it. [1] http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf [2] http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-Attacks [3] http://www.ocert.org/advisories/ocert-2011-003.html Task-number: QTBUG-23529 Change-Id: I7519e4c02b9c2794d1c14079b01330eb356e9c65 Reviewed-by: Thiago Macieira --- tools/configure/configure_pch.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'tools/configure') diff --git a/tools/configure/configure_pch.h b/tools/configure/configure_pch.h index 0831364fe1..36a25dcca8 100644 --- a/tools/configure/configure_pch.h +++ b/tools/configure/configure_pch.h @@ -39,6 +39,11 @@ ** ****************************************************************************/ +// for rand_s, _CRT_RAND_S must be #defined before #including stdlib.h. +// put it at the beginning so some indirect inclusion doesn't break it +#ifndef _CRT_RAND_S +#define _CRT_RAND_S +#endif #include #include #include -- cgit v1.2.3