From 8d45c8ab96a315d4784a7a3aa52cc1510f37eb8d Mon Sep 17 00:00:00 2001 From: Xin LI Date: Wed, 18 Feb 2015 08:21:51 +0000 Subject: [PATCH] - fortuna.c: catch up with r278927 and fix a buffer overflow by using the temporary buffer when remaining space is not enough to hold a whole block. - yarrow.c: add a comment that we intend to change the code and remove memcpy's in the future. (*) Requested by: markm (*) Reviewed by: markm Approved by: so (self) --- sys/dev/random/fortuna.c | 7 ++++++- sys/dev/random/yarrow.c | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/sys/dev/random/fortuna.c b/sys/dev/random/fortuna.c index 6f6febbe2b23..2bb31f46dda0 100644 --- a/sys/dev/random/fortuna.c +++ b/sys/dev/random/fortuna.c @@ -298,8 +298,13 @@ random_fortuna_genrandom(uint8_t *buf, u_int bytecount) KASSERT((bytecount <= (1 << 20)), ("invalid single read request to fortuna of %d bytes", bytecount)); /* F&S - r = first-n-bytes(GenerateBlocks(ceil(n/16))) */ - blockcount = (bytecount + BLOCKSIZE - 1)/BLOCKSIZE; + blockcount = bytecount / BLOCKSIZE; random_fortuna_genblocks(buf, blockcount); + /* TODO: FIX! remove memcpy()! */ + if (bytecount % BLOCKSIZE > 0) { + random_fortuna_genblocks(temp, 1); + memcpy(buf + (blockcount * BLOCKSIZE), temp, bytecount % BLOCKSIZE); + } /* F&S - K = GenerateBlocks(2) */ random_fortuna_genblocks(temp, KEYSIZE/BLOCKSIZE); diff --git a/sys/dev/random/yarrow.c b/sys/dev/random/yarrow.c index 8c1de990adfc..88e09af94cc8 100644 --- a/sys/dev/random/yarrow.c +++ b/sys/dev/random/yarrow.c @@ -450,6 +450,7 @@ random_yarrow_read(uint8_t *buf, u_int bytecount) } uint128_increment(&yarrow_state.counter.whole); if ((i + 1) * BLOCKSIZE > bytecount) { + /* TODO: FIX! remove memcpy()! */ randomdev_encrypt(&yarrow_state.key, yarrow_state.counter.byte, tbuf, BLOCKSIZE); memcpy(buf, tbuf, bytecount - i * BLOCKSIZE);