[tor-commits] [tor/master] Check maximum properly in crypto_rand_int()

[nickm at torproject.org]

commit 5afab5ca197112b01135980d6cb3694a4519e3cf
Author: Nick Mathewson <nickm at torproject.org>
Date:   Wed Jun 1 11:48:39 2011 -0400

    Check maximum properly in crypto_rand_int()
    
    George Kadianakis notes that if you give crypto_rand_int() a value
    above INT_MAX, it can return a negative number, which is not what
    the documentation would imply.
    
    The simple solution is to assert that the input is in [1,INT_MAX+1].
    If in the future we need a random-value function that can return
    values up to UINT_MAX, we can add one.
    
    Fixes bug 3306; bugfix on 0.2.2pre14.
---
 changes/bug3306     |    5 +++++
 src/common/crypto.c |    5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/changes/bug3306 b/changes/bug3306
new file mode 100644
index 0000000..b1bb103
--- /dev/null
+++ b/changes/bug3306
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Make our crypto_rand_int() function check the value of its input
+      correctly. Previously, it accepted values up to UINT_MAX, but
+      could return a negative number if given a value above INT_MAX+1.
+      Found by George Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14.
diff --git a/src/common/crypto.c b/src/common/crypto.c
index d8e6619..851f11b 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -2145,13 +2145,14 @@ crypto_rand(char *to, size_t n)
 }
 
 /** Return a pseudorandom integer, chosen uniformly from the values
- * between 0 and <b>max</b>-1. */
+ * between 0 and <b>max</b>-1 inclusive.  <b>max</b> must be between 1 and
+ * INT_MAX+1, inclusive. */
 int
 crypto_rand_int(unsigned int max)
 {
   unsigned int val;
   unsigned int cutoff;
-  tor_assert(max < UINT_MAX);
+  tor_assert(max <= ((unsigned int)INT_MAX)+1);
   tor_assert(max > 0); /* don't div by 0 */
 
   /* We ignore any values that are >= 'cutoff,' to avoid biasing the