random: fix bound check ordering (CVE-2007-3105)

[linux-2.6-omap-h63xx.git] / drivers / char / random.c

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 7f5271272f91400b17d1ac928047d5d363c35be4..397c714cf2ba78b517a363f0bef2eb674309cb13 100644 (file)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
 
        if (r->pull && r->entropy_count < nbytes * 8 &&
            r->entropy_count < r->poolinfo->POOLBITS) {
-               int bytes = max_t(int, random_read_wakeup_thresh / 8,
-                               min_t(int, nbytes, sizeof(tmp)));
+               /* If we're limited, always leave two wakeup worth's BITS */
                int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
+               int bytes = nbytes;
+
+               /* pull at least as many as BYTES as wakeup BITS */
+               bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
+               /* but never more than the buffer size */
+               bytes = min_t(int, bytes, sizeof(tmp));
 
                DEBUG_ENT("going to reseed %s with %d bits "
                          "(%d of %d requested)\n",