Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Calling rand() function several times to produce a sequence of pseudorandom numbers will result in generating the same sequence in different runs of the program.

This can lead to security threat since, after the first run, an attacker will know the sequence to be generated.

Noncompliant Code Example

 The following code generates a sequence of 10 pseudorandom numbers. No matter how many times this code is executed, it always produces the same sequence.

Code Block
for (int i=0; i<10; i++)
{
    printf("%d\n", rand()); /* Always generates the same sequence */
}

Compliant Solution

Use srand() before rand() to seed the random sequence generated by rand().

Code Block
srand(time(NULL)); /* Create seed based on current time */

for (int i=0; i<10; i++)
{
    printf("%d\n", rand()); /* Generates different sequences at different runs */
}

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC18-C

 

likely

 

 

 

 Automated Detection

 TODO

Related Vulnerabilities

 TODO

Other Languages

This recommendation appears in the C++ Secure Coding Standard as MSC19CPP. Use srand() before rand() to generate different sequences of pseudorandom numbers.

References

C++Reference