Fix a buffer overrun in /dev/random which, due to the nature of the

kernel memory allocator, is harmless. This could be a problem for
other systems, though. I've modified Darren's patch a little.

Original patch by: Darren Schack, Isilon Systems, Inc <darrens@isilon.com>
Also analysed by:  SGI, and in particular Divy Le Ray of SGI
OK'ed by:          re(rwatson)
This commit is contained in:
markm 2002-12-12 17:38:45 +00:00
parent 041d1287e8
commit 824369dc3e

View File

@ -253,6 +253,7 @@ read_random_real(void *buf, int count)
static int cur = 0;
static int gate = 1;
static u_char genval[KEYSIZE];
size_t tomove;
int i;
int retval;
@ -270,14 +271,14 @@ read_random_real(void *buf, int count)
random_state.counter[0]++;
yarrow_encrypt(&random_state.key, random_state.counter,
genval);
memcpy((char *)buf + i, genval,
sizeof(random_state.counter));
tomove = min(count - i, sizeof(random_state.counter));
memcpy((char *)buf + i, genval, tomove);
if (++random_state.outputblocks >=
random_state.gengateinterval) {
generator_gate();
random_state.outputblocks = 0;
}
retval += (int)sizeof(random_state.counter);
retval += (int)tomove;
}
}
else {