[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: getppid misused as entropy source

On Tue, Mar 08, 2005 at 03:27:55PM +0100, Bruno Rohee wrote:
> I'm afraid that this patch is wrong, the return value from getppid()
> was constrained in the 2-65535 range and the call to arc4random()
> isn't. And I think it's bad in that context. I'll look at it again tonight.

I admit I do not know the protocol, so I don't know all of the
implications of that change. It's just that the code looked so weird
"I need an auth_port (whatever it is), let's get the ttyslot(). Oh
wait, it was zero? Then get the parent pid.".

BTW, the range of getppid() is 1-32766.

Fabio Olive

I drowned in the universal pool of entropy
Eris has saved me, and she has set me free