lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Dec 31, 2011, at 6:14 PM, TNHarris wrote:

> On 12/31/2011 09:22 AM, Alexander Gladysh wrote:
>> 
>> It would also be nice to know, if LJ2 implementation is vulnerable.
>> 
> 
> It is. LJ2 will only use at most 16 bytes from the string for hashing. The longer the string, the easier it is to guess which bytes are skipped, even if you randomize the selection. In a 32 byte string, the 19th through 28th bytes are not used in the hash.

I am increasingly convinced that the best defense is to fail string interning when the buckets get too long. This obviously could reject some non-malicious cases, but those shouldn't be that common.

Mark