|
|
On Fri, 11 Jul 2008 11:00:21 -0500 (CDT)
"Jeremy C. Reed" <reed@xxxxxxxxxxxxx> wrote:
> As a quick test, I did the following:
>
> --- in_pcb.c 5 May 2008 17:11:17 -0000 1.125
> +++ in_pcb.c 11 Jul 2008 15:33:49 -0000
> @@ -332,6 +332,8 @@
> mymax = swp;
> }
>
> + *lastport = mymax - (arc4random() % (mymax - mymin));
> +
> lport = *lastport - 1;
> for (cnt = mymax - mymin + 1; cnt; cnt--, lport--) {
> if (lport < mymin || lport > mymax)
>
>
How easy would it be to do a timing test? For example, assume a simple
program that just counted how many UDP ports it could bind to in ten
seconds? I expect some impact, but not a big one; arc4 is very cheap,
but measurement is always good.
More seriously -- when at boot time does urandom have enough entropy to
seed the PRNG? I've had problems on some server systems with things
like that.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
|
|