[hunchentoot-devel] MD5 array out of bounds

Hans Hübner hans.huebner at gmail.com
Wed Jun 27 09:46:59 UTC 2012 

Hi Kyle,

thank you for your bug report.  This is a CCL bug and I have opened a
bug in their bug tracking system for it
(http://trac.clozure.com/ccl/ticket/990).  Meanwhile, you may want to
try an older CCL release or use another Lisp if the problem stops you
from making progress.

-Hans

On Tue, Jun 26, 2012 at 8:41 PM, K B <orbisignis at msn.com> wrote:
> Hi all,
>
>
> I'm currently implementing a website using Hunchentoot (which I gotta say is
> a top bit of work!) and have stumbled upon a problem whilst trying to use
> sessions. The symptom is that, when a call to 'start-session' is made  I run
> into the error:
>
>
> "Error when creating REQUEST object: Array index 16 out of bounds for #(0 0
> 0 0 0 0 0 0 0 0 0 0 0 0 0 0)"
>
>
> Now, hunchentoot passes the client browser info string (not sure what is
> called,  but here is an example "Opera/9.80 (Windows NT 6.1; WOW64; U;
> Edition United Kingdom Local; en) Presto/2.10.289 Version/12.00") to the
> hunchentoot:md5-hex function. The interesting thing here is that the example
> I just gave will give an error but if you access it from another browser
> (e.g. Maxthon), there is no error. The difference is in the length of the
> "client browser info string" that the browser passes - it is shorter.
>
>
> I have followed the problem to the 'finalize-md5-state' function in the md5
> package, if this function is called with a string of 119 characters or less,
> everything is fine. However, call it  with 120 characters or more and it
> will throw the aforementioned error.
>
>
> I have managed whittle the problem down to the following piece of code in
> the function definition of 'finalize-md5-state' in the md5 package:
>
>
> ;; Create new fully 0 padded block
> (loop for index of-type (integer 0 16) from 0 below 16
> do (setf (aref block index) #x00000000)))
>
>
> If this is changed to:
>
>
> ;; Create new fully 0 padded block
>   (loop for index from 0 below 16
> do (setf (aref block index) #x00000000)))
>
>
> Then all is well, the function can be called with a string of more than 119
> characters and start-session will work fine with browsers that choose to use
> long self identification strings. Now, I am not particularly sure why doing
> this solves the problem, I don't *think* it should matter (looks like a bug
> to me, its just optimisation code, right?) but I am certainly not well
> enough versed with lisp to be able to pass any judgment.
>
>
> In case this is an implementation thing, I am running Hunchentoot on Clozure
> on Debian Squeeze. Also, this error occurs with versions 1.3 and 1.5 of the
> md5 package (according to Cliki, 1.5 is the most recent release, and I
> cannot find a newer version).
>
>
> Thought I'd best post it to the Hunchentoot list, even though technically it
> is an MD5 problem, as I'm sure someone else using Hunchentoot will bump into
> this problem sooner or later (or maybe one of your sites is a victim to it -
> Opera is not that popular a browser!), plus, I'm having trouble finding out
> where to post it for the maintainer of MD5 to see it.
>
>
> Cheers,
> Kyle
>
>
>
> _______________________________________________
> tbnl-devel site list
> tbnl-devel at common-lisp.net
> http://common-lisp.net/mailman/listinfo/tbnl-devel

More information about the Tbnl-devel mailing list