[openssl-dev] [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes
Ole Tange via RT
rt at openssl.org
Mon Jan 11 23:58:35 UTC 2016
1 GB works as expected:
$ openssl rand 1000000000 | wc -c
1000000000
But 10 GB does not:
$ apps/openssl rand 10000000000 | wc -c
1410065408
2 GB +1 is also bad:
$ openssl rand 2147483649 | wc -c
rand: Use -help for summary.
0
2 GB -1 is good:
$ apps/openssl rand 2147483647 | wc -c
2147483647
It seems the counter (num in rand.c) is a 32-bit int. These days it
should at least be 64-bit.
In any case there should be a decent error message if the number is
out of the supported range.
I am a bit worried when I see C-beginner mistakes like this in a
security suite: When using sscanf on data you have not produced
yourself, you should always assume they will be bigger that your
largest buffer/variable and deal correctly with that.
Tested on:
openssl-1.1.0-pre1
git-6ac11bd0b
/Ole
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list