From: Tedd Ho-Jeong An <tedd.an@xxxxxxxxx>
This patch replaces the rand() function to the getrandom() syscall.
It was reported by the Coverity scan
rand() should not be used for security-related applications, because
linear congruential algorithms are too easy to break
---
plugins/autopair.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/plugins/autopair.c b/plugins/autopair.c
index 665a4f4a6..a75ecebe4 100644
--- a/plugins/autopair.c
+++ b/plugins/autopair.c
@@ -17,6 +17,7 @@
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
+#include <sys/random.h>
#include <glib.h>
@@ -49,6 +50,7 @@ static ssize_t autopair_pincb(struct btd_adapter *adapter,
char pinstr[7];
char name[25];
uint32_t class;
+ uint32_t val;
ba2str(device_get_address(device), addr);
@@ -129,8 +131,12 @@ static ssize_t autopair_pincb(struct btd_adapter *adapter,
if (attempt >= 4)
return 0;
+ if (getrandom(&val, sizeof(val), 0) < 0) {
+ error("Failed to get a random pincode");
+ return 0;
+ }
snprintf(pinstr, sizeof(pinstr), "%06u",
- rand() % 1000000);
+ val % 1000000);
*display = true;
memcpy(pinbuf, pinstr, 6);
return 6;
--
2.25.1
