[PATCH] Give a useful meaning to arc4random_uniform(0);
Alejandro Colomar
alx.manpages@gmail.com
Sat Dec 31 15:59:46 GMT 2022
Hi Theo,
On 12/31/22 16:13, Alejandro Colomar wrote:
> Hi Theo,
>
> On 12/31/22 15:56, Alejandro Colomar wrote:
>>>
>>> I do not like your proposal at all. A function like arc4random_range()
>>> is even more likely to be used wrong by passing backwards points
>>> and you seem to have a lot of hubris to add a range check to it.
>
> I didn't understand the entire sentence, since I'm not a native English speaker.
> Sorry for that. About adding a range check, I'm not against it. But what to
> do in that case? abort()? I don't see anything significantly better? In the
> Linux kernel, the used something BUILD_BUG, but I don't know those macros very
> much.
>
> I'm really open to discussion about what would the the best behavior when max <
> min.
Since there's no obvious thing to do when the bounds are reversed (some may want
to abort(); others may prefer to set errno?; others may just want to ignore the
possibility...
I tried to understand what it does with the obvious implementation:
> Alejandro Colomar <alx.manpages@gmail.com> wrote:
>> uint32_t
>> arc4random_range(uint32_t min, uint32_t max)
>> {
>> return arc4random_uniform(max - min + 1) + min;
>> }
Well, let's substitute with some actual values:
arc4random_range(7, 4);
This will result in:
arc4random_uniform(4 - 7 + 1) + 7;
which evaluates to:
arc4random_uniform(-2) + 7;
and is equivalent to:
arc4random_uniform(UINT32_MAX - 1) + 7;
Let's first ignore the +7. The arc4random_uniform(UINT32_MAX - 1) call can
generate 2^32 - 2 random numbers. By offsetting to 7, the 2 value that are
excluded are 6 and 5.
So it seems that a reversed call to arc4random_range(min, max) has an
interesting property: it generates random numbers outside of the non-inclusive
range (min, max), that is the compementary set of numbers that arc4random(max,
min) would produce.
If properly documented, it's not a bad behavior.
So, I'd rather not check bounds, and instead document the behavior when the
ranges are reversed. Then, anyone is free to add their own wrapper that adds
checks and performs their favourite action on reversed input, which might differ
from one programmer to another.
Cheers,
Alex
>
> Cheers,
>
> Alex
>
>>
>> Oh, I just checked hubris in the dictionary and it seems you did mention ego.
>> I'll try to rebate you with something useful.
>>
>> If you run `grep -rn 'arc4random_uniform('` in the OpenBSD tree, there will be
>> many cases where you'd really benefit from this. I'll just pick a few:
>>
>>
>> sys/net/pf_lb.c:224:
>> cut = arc4random_uniform(1 + high - low) + low;
>> better as:
>> cut = arc4random_range(low, high);
>>
>>
>> sys/kern/kern_fork.c:648:
>> pid = 2 + arc4random_uniform(PID_MAX - 1);
>> better as:
>> pid = arc4random_range(2, PID_MAX);
>>
>>
>> usr.bin/nc/netcat.c:1501:
>> cp = arc4random_uniform(x + 1);
>> better as:
>> cp = arc4random_range(0, x);
>>
>>
--
<http://www.alejandro-colomar.es/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://sourceware.org/pipermail/libc-alpha/attachments/20221231/d2ad513f/attachment-0001.sig>
More information about the Libc-alpha
mailing list