$OpenBSD: patch-tools_scan6_c,v 1.1 2013/09/26 21:52:36 bluhm Exp $
--- tools/scan6.c.orig	Mon Aug 12 09:03:33 2013
+++ tools/scan6.c	Sun Sep  8 22:10:38 2013
@@ -338,8 +338,7 @@ int main(int argc, char **argv){
 		exit(1);
 	}
 
-	srandom(time(NULL));
-	hoplimit=64+random()%180;
+	hoplimit=64+arc4random_uniform(180);
 
 	init_iface_data(&idata);
 
@@ -954,7 +953,7 @@ int main(int argc, char **argv){
 				  */
 				strncpy(oui_ascii, optarg, 8);
 				oui_ascii[8]= 0;
-				strncat(oui_ascii, oui_end, ETHER_ADDR_PLEN-8);
+				strlcat(oui_ascii, oui_end, ETHER_ADDR_PLEN);
 
 				if(ether_pton(oui_ascii, &oui, sizeof(oui)) == 0){
 					puts("Error in vendor IEEE OUI");
@@ -3003,7 +3002,7 @@ int load_vendor_entries(struct scan_list *scan, struct
 			/* zero-terminate the string */
 			oui_ascii[8]= 0;
 
-			strncat(oui_ascii, oui_end, ETHER_ADDR_PLEN);
+			strlcat(oui_ascii, oui_end, ETHER_ADDR_PLEN);
 
 			if(ether_pton(oui_ascii, &oui_list[ouis], sizeof(oui_list[ouis])) == 0){
 				if(verbose_f)
@@ -3465,7 +3464,7 @@ void randomize_ipv6_addr(struct in6_addr *ipv6addr, st
 		ipv6addr->s6_addr16[i]= 0;
 
 	for(i=startrand; i<8; i++)
-		ipv6addr->s6_addr16[i]=random();
+		ipv6addr->s6_addr16[i]=arc4random();
 
 	if(preflen%16){
 		mask=0xffff;
@@ -3490,8 +3489,7 @@ void randomize_ipv6_addr(struct in6_addr *ipv6addr, st
  */
 
 void randomize_ether_addr(struct ether_addr *ethaddr){
-	for(i=0; i<6; i++)
-		ethaddr->a[i]= random();
+	arc4random_buf(ethaddr, sizeof(struct ether_addr));
 
 	ethaddr->a[0]= (ethaddr->a[0] & 0xfc) | 0x02;
 }
@@ -4298,7 +4296,6 @@ int match_ipv6_to_prefixes(struct in6_addr *ipv6addr, 
 
 int send_probe_remote(struct iface_data *idata, struct scan_list *scan, struct in6_addr *srcaddr, unsigned char type){
 	unsigned char				*ptr;
-	unsigned int 				i;
 	struct ether_header			*ether;
 	struct dlt_null				*dlt_null;
 	unsigned char 				*v6buffer;
@@ -4306,7 +4303,6 @@ int send_probe_remote(struct iface_data *idata, struct
 	struct tcphdr				*tcp;
 	struct ip6_dest				*destopth;
 	struct ip6_option			*opt;
-	u_int32_t					*uint32;
 
 	/* max_packet_size holds is equal to the link MTU, since the tool doesn't support packets larger than the link MTU */
 	max_packet_size = idata->mtu;
@@ -4362,10 +4358,8 @@ int send_probe_remote(struct iface_data *idata, struct
 
 			ptr = ptr+ sizeof(struct icmp6_hdr);
 
-			for(i=0; i<(ICMPV6_ECHO_PAYLOAD_SIZE>>2); i++){
-				*(u_int32_t *)ptr = random();
-				ptr += sizeof(u_int32_t);
-			}
+			arc4random_buf(ptr, ICMPV6_ECHO_PAYLOAD_SIZE);
+			ptr += ICMPV6_ECHO_PAYLOAD_SIZE;
 
 			ipv6->ip6_plen = htons((ptr - v6buffer) - MIN_IPV6_HLEN);
 			icmp6->icmp6_cksum = 0;
@@ -4392,8 +4386,7 @@ int send_probe_remote(struct iface_data *idata, struct
 			opt->ip6o_len= 4;
 
 			ptr= ptr + 2;
-			uint32 = (u_int32_t *) ptr;
-			*uint32 = random();
+			arc4random_buf(ptr, 4);
 
 			ptr= ptr +4;
 			icmp6 = (struct icmp6_hdr *) ptr;
@@ -4404,10 +4397,8 @@ int send_probe_remote(struct iface_data *idata, struct
 
 			ptr = ptr+ sizeof(struct icmp6_hdr);
 
-			for(i=0; i<(ICMPV6_ECHO_PAYLOAD_SIZE>>2); i++){
-				*(u_int32_t *)ptr = random();
-				ptr += sizeof(u_int32_t);
-			}
+			arc4random_buf(ptr, ICMPV6_ECHO_PAYLOAD_SIZE);
+			ptr += ICMPV6_ECHO_PAYLOAD_SIZE;
 
 			ipv6->ip6_plen = htons((ptr - v6buffer) - MIN_IPV6_HLEN);
 			icmp6->icmp6_cksum = 0;
@@ -4430,12 +4421,12 @@ int send_probe_remote(struct iface_data *idata, struct
 			if(srcport_f)
 				tcp->th_sport= htons(srcport);
 			else
-				tcp->th_sport= htons(1024+ rand() % 64512);
+				tcp->th_sport= htons(1024+ arc4random_uniform(64512));
 
 			if(dstport_f)
 				tcp->th_dport= htons(dstport);
 			else
-				tcp->th_dport= htons(1+ rand() % 1024);
+				tcp->th_dport= htons(1+ arc4random_uniform(1024));
 
 			if(tcpflags_f)
 				tcp->th_flags= tcpflags;
@@ -4443,11 +4434,11 @@ int send_probe_remote(struct iface_data *idata, struct
 				tcp->th_flags= TH_ACK;
 
 			if(tcpflags & TH_ACK)
-				tcp->th_ack= htonl(rand());
+				tcp->th_ack= arc4random();
 			else
 				tcp->th_ack= htonl(0);
 
-			tcp->th_win= htons( 4096 * (rand() % 9 + 1));
+			tcp->th_win= htons( 4096 * (arc4random_uniform(9) + 1));
 
 			/* Current version of tcp6 does not support sending TCP options */
 			tcp->th_off= sizeof(struct tcphdr) >> 2;
@@ -4458,18 +4449,10 @@ int send_probe_remote(struct iface_data *idata, struct
 				exit(1);
 			}
 
-			while(rhbytes>=4){
-				*(u_int32_t *)ptr = random();
-				ptr += sizeof(u_int32_t);
-				rhbytes -= sizeof(u_int32_t);
-			}
+			arc4random_buf(ptr, rhbytes);
+			ptr += rhbytes;
+			rhbytes = 0;
 
-			while(rhbytes>0){
-				*(u_int8_t *) ptr= (u_int8_t) random();
-				ptr++;
-				rhbytes--;
-			}
-
 			ipv6->ip6_plen = htons((ptr - v6buffer) - MIN_IPV6_HLEN);
 			tcp->th_sum = 0;
 			tcp->th_sum = in_chksum(v6buffer, tcp, ptr-((unsigned char *)tcp), IPPROTO_TCP);
@@ -4521,7 +4504,6 @@ int multi_scan_local(pcap_t *pfd, struct iface_data *i
 	struct sigaction			new_sig, old_sig;
 	struct ip6_dest				*destopth;
 	struct ip6_option			*opt;
-	u_int32_t					*uint32;
 	unsigned char				error_f=0, closefd_f=0, llocalsrc_f=0;
 	int 						result;
 
@@ -4633,16 +4615,14 @@ int multi_scan_local(pcap_t *pfd, struct iface_data *i
 			icmp6 = (struct icmp6_hdr *) ptr;
 			icmp6->icmp6_type = ICMP6_ECHO_REQUEST;
 			icmp6->icmp6_code = 0;
-			icmp6->icmp6_cksum = random();
+			icmp6->icmp6_cksum = arc4random();
 			icmp6->icmp6_data16[0]= htons(getpid());	/* Identifier */
-			icmp6->icmp6_data16[1]= htons(random());	/* Sequence Number */
+			icmp6->icmp6_data16[1]= arc4random();		/* Sequence Number */
 
 			ptr = ptr+ sizeof(struct icmp6_hdr);
 
-			for(i=0; i<(ICMPV6_ECHO_PAYLOAD_SIZE>>2); i++){
-				*(u_int32_t *)ptr = random();
-				ptr += sizeof(u_int32_t);
-			}
+			arc4random_buf(ptr, ICMPV6_ECHO_PAYLOAD_SIZE);
+			ptr += ICMPV6_ECHO_PAYLOAD_SIZE;
 			break;
 
 		case PROBE_UNREC_OPT:
@@ -4668,23 +4648,20 @@ int multi_scan_local(pcap_t *pfd, struct iface_data *i
 			opt->ip6o_len= 4;
 
 			ptr= ptr + 2;
-			uint32 = (u_int32_t *) ptr;
-			*uint32 = random();
+			arc4random_buf(ptr, 4);
 
 			ptr= ptr +4;
 			icmp6 = (struct icmp6_hdr *) ptr;
 			icmp6->icmp6_type = ICMP6_ECHO_REQUEST;
 			icmp6->icmp6_code = 0;
-			icmp6->icmp6_cksum = random();
+			icmp6->icmp6_cksum = arc4random();
 			icmp6->icmp6_data16[0]= htons(getpid());	/* Identifier */
-			icmp6->icmp6_data16[1]= htons(random());	/* Sequence Number */
+			icmp6->icmp6_data16[1]= arc4random();		/* Sequence Number */
 
 			ptr = ptr+ sizeof(struct icmp6_hdr);
 
-			for(i=0; i<(ICMPV6_ECHO_PAYLOAD_SIZE>>2); i++){
-				*(u_int32_t *)ptr = random();
-				ptr += sizeof(u_int32_t);
-			}
+			arc4random_buf(ptr, ICMPV6_ECHO_PAYLOAD_SIZE);
+			ptr += ICMPV6_ECHO_PAYLOAD_SIZE;
 			break;
 	}
 
@@ -4876,7 +4853,6 @@ int host_scan_local(pcap_t *pfd, struct iface_data *id
 	struct sigaction		new_sig, old_sig;
 	struct ip6_dest			*destopth;
 	struct ip6_option		*opt;
-	u_int32_t				*uint32;
 	unsigned char			foundaddr_f=0, error_f=0, closefd_f=0;
 	int				result;
 
@@ -4986,16 +4962,14 @@ int host_scan_local(pcap_t *pfd, struct iface_data *id
 			icmp6 = (struct icmp6_hdr *) ptr;
 			icmp6->icmp6_type = ICMP6_ECHO_REQUEST;
 			icmp6->icmp6_code = 0;
-			icmp6->icmp6_cksum = random();
+			icmp6->icmp6_cksum = arc4random();
 			icmp6->icmp6_data16[0]= htons(getpid());	/* Identifier */
-			icmp6->icmp6_data16[1]= htons(random());		/* Sequence Number */
+			icmp6->icmp6_data16[1]= arc4random();		/* Sequence Number */
 
 			ptr = ptr+ sizeof(struct icmp6_hdr);
 
-			for(i=0; i<(ICMPV6_ECHO_PAYLOAD_SIZE>>2); i++){
-				*(u_int32_t *)ptr = random();
-				ptr += sizeof(u_int32_t);
-			}
+			arc4random_buf((unsigned char *)ptr, ICMPV6_ECHO_PAYLOAD_SIZE);
+			ptr += ICMPV6_ECHO_PAYLOAD_SIZE;
 			break;
 
 		case PROBE_UNREC_OPT:
@@ -5022,23 +4996,20 @@ int host_scan_local(pcap_t *pfd, struct iface_data *id
 			opt->ip6o_len= 4;
 
 			ptr= ptr + 2;
-			uint32 = (u_int32_t *) ptr;
-			*uint32 = random();
+			arc4random_buf((unsigned char *)ptr, 4);
 
 			ptr= ptr +4;
 			icmp6 = (struct icmp6_hdr *) ptr;
 			icmp6->icmp6_type = ICMP6_ECHO_REQUEST;
 			icmp6->icmp6_code = 0;
-			icmp6->icmp6_cksum = random();
+			icmp6->icmp6_cksum = arc4random();
 			icmp6->icmp6_data16[0]= htons(getpid());	/* Identifier */
-			icmp6->icmp6_data16[1]= htons(random());	/* Sequence Number */
+			icmp6->icmp6_data16[1]= arc4random();		/* Sequence Number */
 
 			ptr = ptr+ sizeof(struct icmp6_hdr);
 
-			for(i=0; i<(ICMPV6_ECHO_PAYLOAD_SIZE>>2); i++){
-				*(u_int32_t *)ptr = random();
-				ptr += sizeof(u_int32_t);
-			}
+			arc4random_buf((unsigned char *)ptr, ICMPV6_ECHO_PAYLOAD_SIZE);
+			ptr += ICMPV6_ECHO_PAYLOAD_SIZE;
 			break;
 	}
 
@@ -5623,7 +5594,7 @@ int send_neighbor_advert(struct iface_data *idata, pca
 
 		memcpy(fptr, (char *) &fraghdr, FRAG_HDR_SIZE);
 		fh= (struct ip6_frag *) fptr;
-		fh->ip6f_ident=random();
+		fh->ip6f_ident=arc4random();
 		startoffragment = fptr + FRAG_HDR_SIZE;
 
 		/*
