- fortuna.c: catch up with r278927 and fix a buffer overflow by using the

	      temporary buffer when remaining space is not enough to hold
	      a whole block.
 - yarrow.c:  add a comment that we intend to change the code and remove
	      memcpy's in the future. (*)

Requested by:	markm (*)
Reviewed by:	markm
Approved by:	so (self)

2 files changed, 7 insertions, 1 deletions

diff --git a/sys/dev/random/fortuna.c b/sys/dev/random/fortuna.c
index 6f6febb..2bb31f4 100644
--- a/sys/dev/random/fortuna.c
+++ b/sys/dev/random/fortuna.c
@@ -298,8 +298,13 @@ random_fortuna_genrandom(uint8_t *buf, u_int bytecount)
 	KASSERT((bytecount <= (1 << 20)), ("invalid single read request to fortuna of %d bytes", bytecount));
 
 	/* F&S - r = first-n-bytes(GenerateBlocks(ceil(n/16))) */
-	blockcount = (bytecount + BLOCKSIZE - 1)/BLOCKSIZE;
+	blockcount = bytecount / BLOCKSIZE;
 	random_fortuna_genblocks(buf, blockcount);
+	/* TODO: FIX! remove memcpy()! */
+	if (bytecount % BLOCKSIZE > 0) {
+		random_fortuna_genblocks(temp, 1);
+		memcpy(buf + (blockcount * BLOCKSIZE), temp, bytecount % BLOCKSIZE);
+	}
 
 	/* F&S - K = GenerateBlocks(2) */
 	random_fortuna_genblocks(temp, KEYSIZE/BLOCKSIZE);
diff --git a/sys/dev/random/yarrow.c b/sys/dev/random/yarrow.c
index 8c1de99..88e09af 100644
--- a/sys/dev/random/yarrow.c
+++ b/sys/dev/random/yarrow.c
@@ -450,6 +450,7 @@ random_yarrow_read(uint8_t *buf, u_int bytecount)
 		}
 		uint128_increment(&yarrow_state.counter.whole);
 		if ((i + 1) * BLOCKSIZE > bytecount) {
+			/* TODO: FIX! remove memcpy()! */
 			randomdev_encrypt(&yarrow_state.key,
 			    yarrow_state.counter.byte, tbuf, BLOCKSIZE);
 			memcpy(buf, tbuf, bytecount - i * BLOCKSIZE);