[Pkg-shadow-devel] Bug#677275: Bug#677275: passwd: RAND_MAX is for rand() only, and on some systems random() can exceed RAND_MAX
Nicolas François
nicolas.francois at centraliens.net
Tue Jun 12 23:04:51 UTC 2012
Hello,
On Wed, Jun 13, 2012 at 12:15:53AM +0400, pashev.igor at gmail.com wrote:
>
> function SHA_salt_size() in file libmisc/salt.c uses random() to get random
> number and divides it by RAND_MAX.
>
> This is incorrect.
>
> RAND_MAX macro is designed for C standard fucntion rand() (value of the
> RAND_MAX macro shall be at least 32767) [1]
>
> But random() returns numbers in the range from 0 to 2^31-1 [2].
>
> So, random()/RAND_MAX could result in a value > 1.
Theoretically agreed.
The random(3) manpage is misleading here (although no problem on glibc)
> I propose to replace RAND_MAX with LONG_MAX.
This should be 2^31-1, not LONG_MAX.
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list