svn commit: r278950 - head/sys/dev/random

Wed, 18 Feb 2015 00:23:24 -0800 

Author: delphij
Date: Wed Feb 18 08:21:51 2015
New Revision: 278950
URL: https://svnweb.freebsd.org/changeset/base/278950

Log:
   - fortuna.c: catch up with r278927 and fix a buffer overflow by using the
              temporary buffer when remaining space is not enough to hold
              a whole block.
   - yarrow.c:  add a comment that we intend to change the code and remove
              memcpy's in the future. (*)
  
  Requested by: markm (*)
  Reviewed by:  markm
  Approved by:  so (self)

Modified:
  head/sys/dev/random/fortuna.c
  head/sys/dev/random/yarrow.c

Modified: head/sys/dev/random/fortuna.c
==============================================================================
--- head/sys/dev/random/fortuna.c       Wed Feb 18 08:10:13 2015        
(r278949)
+++ head/sys/dev/random/fortuna.c       Wed Feb 18 08:21:51 2015        
(r278950)
@@ -298,8 +298,13 @@ random_fortuna_genrandom(uint8_t *buf, u
        KASSERT((bytecount <= (1 << 20)), ("invalid single read request to 
fortuna of %d bytes", bytecount));
 
        /* F&S - r = first-n-bytes(GenerateBlocks(ceil(n/16))) */
-       blockcount = (bytecount + BLOCKSIZE - 1)/BLOCKSIZE;
+       blockcount = bytecount / BLOCKSIZE;
        random_fortuna_genblocks(buf, blockcount);
+       /* TODO: FIX! remove memcpy()! */
+       if (bytecount % BLOCKSIZE > 0) {
+               random_fortuna_genblocks(temp, 1);
+               memcpy(buf + (blockcount * BLOCKSIZE), temp, bytecount % 
BLOCKSIZE);
+       }
 
        /* F&S - K = GenerateBlocks(2) */
        random_fortuna_genblocks(temp, KEYSIZE/BLOCKSIZE);

Modified: head/sys/dev/random/yarrow.c
==============================================================================
--- head/sys/dev/random/yarrow.c        Wed Feb 18 08:10:13 2015        
(r278949)
+++ head/sys/dev/random/yarrow.c        Wed Feb 18 08:21:51 2015        
(r278950)
@@ -450,6 +450,7 @@ random_yarrow_read(uint8_t *buf, u_int b
                }
                uint128_increment(&yarrow_state.counter.whole);
                if ((i + 1) * BLOCKSIZE > bytecount) {
+                       /* TODO: FIX! remove memcpy()! */
                        randomdev_encrypt(&yarrow_state.key,
                            yarrow_state.counter.byte, tbuf, BLOCKSIZE);
                        memcpy(buf, tbuf, bytecount - i * BLOCKSIZE);
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"

Reply via email to