svn commit: r278950 - head/sys/dev/random

Xin LI delphij at FreeBSD.org
Wed Feb 18 08:21:53 UTC 2015


Author: delphij
Date: Wed Feb 18 08:21:51 2015
New Revision: 278950
URL: https://svnweb.freebsd.org/changeset/base/278950

Log:
   - fortuna.c: catch up with r278927 and fix a buffer overflow by using the
  	      temporary buffer when remaining space is not enough to hold
  	      a whole block.
   - yarrow.c:  add a comment that we intend to change the code and remove
  	      memcpy's in the future. (*)
  
  Requested by:	markm (*)
  Reviewed by:	markm
  Approved by:	so (self)

Modified:
  head/sys/dev/random/fortuna.c
  head/sys/dev/random/yarrow.c

Modified: head/sys/dev/random/fortuna.c
==============================================================================
--- head/sys/dev/random/fortuna.c	Wed Feb 18 08:10:13 2015	(r278949)
+++ head/sys/dev/random/fortuna.c	Wed Feb 18 08:21:51 2015	(r278950)
@@ -298,8 +298,13 @@ random_fortuna_genrandom(uint8_t *buf, u
 	KASSERT((bytecount <= (1 << 20)), ("invalid single read request to fortuna of %d bytes", bytecount));
 
 	/* F&S - r = first-n-bytes(GenerateBlocks(ceil(n/16))) */
-	blockcount = (bytecount + BLOCKSIZE - 1)/BLOCKSIZE;
+	blockcount = bytecount / BLOCKSIZE;
 	random_fortuna_genblocks(buf, blockcount);
+	/* TODO: FIX! remove memcpy()! */
+	if (bytecount % BLOCKSIZE > 0) {
+		random_fortuna_genblocks(temp, 1);
+		memcpy(buf + (blockcount * BLOCKSIZE), temp, bytecount % BLOCKSIZE);
+	}
 
 	/* F&S - K = GenerateBlocks(2) */
 	random_fortuna_genblocks(temp, KEYSIZE/BLOCKSIZE);

Modified: head/sys/dev/random/yarrow.c
==============================================================================
--- head/sys/dev/random/yarrow.c	Wed Feb 18 08:10:13 2015	(r278949)
+++ head/sys/dev/random/yarrow.c	Wed Feb 18 08:21:51 2015	(r278950)
@@ -450,6 +450,7 @@ random_yarrow_read(uint8_t *buf, u_int b
 		}
 		uint128_increment(&yarrow_state.counter.whole);
 		if ((i + 1) * BLOCKSIZE > bytecount) {
+			/* TODO: FIX! remove memcpy()! */
 			randomdev_encrypt(&yarrow_state.key,
 			    yarrow_state.counter.byte, tbuf, BLOCKSIZE);
 			memcpy(buf, tbuf, bytecount - i * BLOCKSIZE);


More information about the svn-src-head mailing list