fix(cksum): reject absurdly large SHAKE --length instead of aborting#13083
Open
koopatroopa787 wants to merge 2 commits into
Open
fix(cksum): reject absurdly large SHAKE --length instead of aborting#13083koopatroopa787 wants to merge 2 commits into
koopatroopa787 wants to merge 2 commits into
Conversation
…ixes uutils#12869) cksum -a shake128/shake256 --length accepted any usize value in bits with no upper bound. A value like 10011111117721172727 overflows the digest buffer allocation in Digest::result(), causing a Rust memory allocation failure and process abort (exit 134) instead of a clean error. Cap --length for SHAKE algorithms at 8192 bits (1 KiB of output), comfortably above any real use case, and report a GNU-style error when exceeded. Add a regression test.
|
GNU testsuite comparison: |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Per review feedback, replace the fixed upper bound on --length with a recoverable error from Vec::try_reserve_exact. GNU utils don't impose arbitrary "realistic use case" limits, so Digest::result() now returns io::Result<DigestOutput> and reports an OutOfMemory error instead of letting the allocator abort the process when the requested length is absurdly large. Fixes uutils#12869
Contributor
Author
|
Done — reworked the fix as suggested. Dropped the fixed-cap test and replaced it with one that just verifies an absurdly large Pushed as c3bb6a7. |
Contributor
|
Thankyou! |
This was referenced Jun 26, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes
Fixes #12869
Problem
`cksum -a shake128/shake256 --length` accepted any `usize` value in bits with no upper bound. For example:
```
$ cksum -l=10011111117721172727 --algorithm shake128 a
memory allocation of 1251388889715146591 bytes failed
Aborted (core dumped)
```
The unsanitized length flows straight into the digest buffer allocation in `Digest::result()` (`vec![0; self.output_bits().div_ceil(8)]`), which aborts the whole process on an allocation failure rather than returning a clean error.
Fix
Cap `--length` for SHAKE128/SHAKE256 at 8192 bits (1 KiB of output), comfortably above any realistic use case, and report a GNU-style error (`invalid length: '...'` + `maximum digest length for 'SHAKE128' is 8192 bits`) when exceeded — mirroring the existing bound already enforced for BLAKE2b.
Test plan
test_shake_length_too_large_does_not_paniccovering bothshake128andshake256.cargo test --test tests shakepasses (29 tests).