[openssl-dev] [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Ole Tange via RT Mon, 11 Jan 2016 15:59:09 -0800

1 GB works as expected:

    $ openssl rand 1000000000 | wc -c
    1000000000


But 10 GB does not:

    $ apps/openssl rand 10000000000 | wc -c
    1410065408

2 GB +1 is also bad:

    $ openssl rand 2147483649 | wc -c
    rand: Use -help for summary.
    0

2 GB -1 is good:

    $ apps/openssl rand 2147483647 | wc -c
    2147483647

It seems the counter (num in rand.c) is a 32-bit int. These days it
should at least be 64-bit.

In any case there should be a decent error message if the number is
out of the supported range.

I am a bit worried when I see C-beginner mistakes like this in a
security suite: When using sscanf on data you have not produced
yourself, you should always assume they will be bigger that your
largest buffer/variable and deal correctly with that.


Tested on:

openssl-1.1.0-pre1
git-6ac11bd0b


/Ole

_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Reply via email to