- fortuna.c: catch up with r278927 and fix a buffer overflow by using the

temporary buffer when remaining space is not enough to hold a whole block. - yarrow.c: add a comment that we intend to change the code and remove memcpy's in the future. (*) Requested by: markm (*) Reviewed by: markm Approved by: so (self)
svn path=/head/; revision=278950
2015-02-18 08:21:51 +00:00 · 2015-02-18 08:21:51 +00:00 · 8d45c8ab96 · 2020-12-20 02:59:44 +00:00
commit 8d45c8ab96
parent 9fdc5d59f3
2 changed files with 7 additions and 1 deletions
--- a/sys/dev/random/fortuna.c
+++ b/sys/dev/random/fortuna.c
@ -298,8 +298,13 @@ random_fortuna_genrandom(uint8_t *buf, u_int bytecount)
 	KASSERT((bytecount <= (1 << 20)), ("invalid single read request to fortuna of %d bytes", bytecount));

 	/* F&S - r = first-n-bytes(GenerateBlocks(ceil(n/16))) */
-	blockcount = (bytecount + BLOCKSIZE - 1)/BLOCKSIZE;
+	blockcount = bytecount / BLOCKSIZE;
 	random_fortuna_genblocks(buf, blockcount);
+	/* TODO: FIX! remove memcpy()! */
+	if (bytecount % BLOCKSIZE > 0) {
+		random_fortuna_genblocks(temp, 1);
+		memcpy(buf + (blockcount * BLOCKSIZE), temp, bytecount % BLOCKSIZE);
+	}

 	/* F&S - K = GenerateBlocks(2) */
 	random_fortuna_genblocks(temp, KEYSIZE/BLOCKSIZE);
--- a/sys/dev/random/yarrow.c
+++ b/sys/dev/random/yarrow.c
@ -450,6 +450,7 @@ random_yarrow_read(uint8_t *buf, u_int bytecount)
 		}
 		uint128_increment(&yarrow_state.counter.whole);
 		if ((i + 1) * BLOCKSIZE > bytecount) {
+			/* TODO: FIX! remove memcpy()! */
 			randomdev_encrypt(&yarrow_state.key,
 			    yarrow_state.counter.byte, tbuf, BLOCKSIZE);
 			memcpy(buf, tbuf, bytecount - i * BLOCKSIZE);