[PATCH] Use arc4random instead of rand where available
Mark Kettenis
mark.kettenis at xs4all.nl
Tue Mar 23 06:48:03 PDT 2010
> From: Yann Droneaud <ydroneaud at mandriva.com>
> Date: Tue, 23 Mar 2010 13:05:22 +0100
>
> Le lundi 22 mars 2010 à 17:49 -0700, Jeremy Huddleston a écrit :
> > I was thinking smaller would be more "acceptable" ... but I too would
> > prefer something like OsRandom() in os/utils.c ...
>
> I would prefer too, since GNU libc doesn't have a definition for
> arc4random, something like OsRandom() would be definitely better.
> You should also specify known output range for the PRNG:
> rand() returns an int in range [0..RAND_MAX] while arc4random() returns
> an uint32_t with range [0..2^32-1].
Guys, if you ask me, introducing all this additional complecity just
to placate a static analysis tool is starting to get a bit silly.
How about just putting a comment in the code that the usage of rand()
is not security related at all and therefore perfectly fine?
More information about the xorg-devel
mailing list