diff options
author | markm <markm@FreeBSD.org> | 2002-12-12 17:38:45 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 2002-12-12 17:38:45 +0000 |
commit | 824369dc3ec54fe2a617a7d9ea776792c033ba85 (patch) | |
tree | e48a477aa4f72b0c91f8051ae2e00abfbbdc8623 /sys/dev/random | |
parent | 041d1287e88250bf06ad159c6c696bd653a77957 (diff) | |
download | FreeBSD-src-824369dc3ec54fe2a617a7d9ea776792c033ba85.zip FreeBSD-src-824369dc3ec54fe2a617a7d9ea776792c033ba85.tar.gz |
Fix a buffer overrun in /dev/random which, due to the nature of the
kernel memory allocator, is harmless. This could be a problem for
other systems, though. I've modified Darren's patch a little.
Original patch by: Darren Schack, Isilon Systems, Inc <darrens@isilon.com>
Also analysed by: SGI, and in particular Divy Le Ray of SGI
OK'ed by: re(rwatson)
Diffstat (limited to 'sys/dev/random')
-rw-r--r-- | sys/dev/random/yarrow.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/dev/random/yarrow.c b/sys/dev/random/yarrow.c index 304de5d..1b5a4bf 100644 --- a/sys/dev/random/yarrow.c +++ b/sys/dev/random/yarrow.c @@ -253,6 +253,7 @@ read_random_real(void *buf, int count) static int cur = 0; static int gate = 1; static u_char genval[KEYSIZE]; + size_t tomove; int i; int retval; @@ -270,14 +271,14 @@ read_random_real(void *buf, int count) random_state.counter[0]++; yarrow_encrypt(&random_state.key, random_state.counter, genval); - memcpy((char *)buf + i, genval, - sizeof(random_state.counter)); + tomove = min(count - i, sizeof(random_state.counter)); + memcpy((char *)buf + i, genval, tomove); if (++random_state.outputblocks >= random_state.gengateinterval) { generator_gate(); random_state.outputblocks = 0; } - retval += (int)sizeof(random_state.counter); + retval += (int)tomove; } } else { |