From: Dr. Stephen Henson Date: Sun, 6 Apr 2014 22:11:20 +0000 (+0100) Subject: Return if ssleay_rand_add called with zero num. X-Git-Tag: OpenSSL_1_0_1g~2 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5be1ae28ef3c4bdec95b94f14e0e939157be550a;p=oweals%2Fopenssl.git Return if ssleay_rand_add called with zero num. Treat a zero length passed to ssleay_rand_add a no op: the existing logic zeroes the md value which is very bad. OpenSSL itself never does this internally and the actual call doesn't make sense as it would be passing zero bytes of entropy. Thanks to Marcus Meissner for reporting this bug. --- diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index dd29163727..aee1c30b0a 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -198,6 +198,9 @@ static void ssleay_rand_add(const void *buf, int num, double add) EVP_MD_CTX m; int do_not_lock; + if (!num) + return; + /* * (Based on the rand(3) manpage) *