> From: Yann Droneaud <[email protected]> > Date: Tue, 23 Mar 2010 13:05:22 +0100 > > Le lundi 22 mars 2010 à 17:49 -0700, Jeremy Huddleston a écrit : > > I was thinking smaller would be more "acceptable" ... but I too would > > prefer something like OsRandom() in os/utils.c ... > > I would prefer too, since GNU libc doesn't have a definition for > arc4random, something like OsRandom() would be definitely better. > You should also specify known output range for the PRNG: > rand() returns an int in range [0..RAND_MAX] while arc4random() returns > an uint32_t with range [0..2^32-1].
Guys, if you ask me, introducing all this additional complecity just to placate a static analysis tool is starting to get a bit silly. How about just putting a comment in the code that the usage of rand() is not security related at all and therefore perfectly fine?
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
