michaelh/zephyr
1
0
Fork 0
Code Releases Activity

rand: xoroshiro128: fix buffer overflow

Browse source 
If rand32_xoroshiro128::z_impl_sys_rand_get is called with outlen
not divisible by 4, it will overflow the dst buffer. This happens
because blocksize is not changed from 4 to the difference between
outlen and len. If outlen is < 4, z_impl_sys_rand_get will be stuck
in an infinite loop that keeps writing random bytes outside the buffer.
If outlen is > 4, z_impl_sys_rand_get returns after the correct number
of loops, but it writes every byte to the buffer, not just outlen number
of bytes. This causes the buffer to be overflowed with up to and
including 3 bytes.

Signed-off-by: Didrik Rokhaug <didrik.rokhaug@gmail.com>
This commit is contained in:
Didrik Rokhaug 2020-11-10 17:48:12 +01:00 committed by Maureen Helm
commit 89f6e24590
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
subsys/random/rand32_xoroshiro128.c
View file

@ -106,7 +106,7 @@ void z_impl_sys_rand_get(void *dst, size_t outlen)
while (len < outlen) { while (len < outlen) {
ret = xoroshiro128_next(); ret = xoroshiro128_next();
if ((outlen-len) < sizeof(ret)) { if ((outlen-len) < sizeof(ret)) {
blocksize = len; blocksize = outlen - len;
(void)memcpy(udst, &ret, blocksize); (void)memcpy(udst, &ret, blocksize);
} else { } else {
(*udst++) = ret; (*udst++) = ret;