From: Pauli <ppzgs1@gmail.com>
Date: Wed, 4 Jun 2025 23:57:00 +0000 (+1000)
Subject: rand: fix memory overrun bug
X-Git-Tag: openssl-3.0.17~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49cbbbf64f23dc1d3c6094654a72ff20d31021a1;p=thirdparty%2Fopenssl.git

rand: fix memory overrun bug

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27767)
---

diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c
index 4e7fed0fc7b..d974537ca5d 100644
--- a/providers/implementations/rands/test_rng.c
+++ b/providers/implementations/rands/test_rng.c
@@ -125,16 +125,18 @@ static int test_rng_reseed(ossl_unused void *vtest,
 static size_t test_rng_nonce(void *vtest, unsigned char *out,
                              unsigned int strength,
                              ossl_unused size_t min_noncelen,
-                             ossl_unused size_t max_noncelen)
+                             size_t max_noncelen)
 {
     PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest;
+    size_t i;
 
     if (t->nonce == NULL || strength > t->strength)
         return 0;
 
+    i = t->nonce_len > max_noncelen ? max_noncelen : t->nonce_len;
     if (out != NULL)
-        memcpy(out, t->nonce, t->nonce_len);
-    return t->nonce_len;
+        memcpy(out, t->nonce, i);
+    return i;
 }
 
 static int test_rng_get_ctx_params(void *vtest, OSSL_PARAM params[])