rand: xoroshiro128: fix buffer overflow
If rand32_xoroshiro128::z_impl_sys_rand_get is called with outlen not divisible by 4, it will overflow the dst buffer. This happens because blocksize is not changed from 4 to the difference between outlen and len. If outlen is < 4, z_impl_sys_rand_get will be stuck in an infinite loop that keeps writing random bytes outside the buffer. If outlen is > 4, z_impl_sys_rand_get returns after the correct number of loops, but it writes every byte to the buffer, not just outlen number of bytes. This causes the buffer to be overflowed with up to and including 3 bytes. Signed-off-by: Didrik Rokhaug <didrik.rokhaug@gmail.com>
This commit is contained in:
Didrik Rokhaug
Maureen Helm
parent
202adf565f
commit
89f6e24590
1 changed files with 1 additions and 1 deletions
|
|
@ -106,7 +106,7 @@ void z_impl_sys_rand_get(void *dst, size_t outlen)
|
|||
while (len < outlen) {
|
||||
ret = xoroshiro128_next();
|
||||
if ((outlen-len) < sizeof(ret)) {
|
||||
blocksize = len;
|
||||
blocksize = outlen - len;
|
||||
(void)memcpy(udst, &ret, blocksize);
|
||||
} else {
|
||||
(*udst++) = ret;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue