From 23fd5ea667fe75a09bc827a0a8a0278009a88e7b Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Tue, 29 Nov 2011 15:56:12 +0000
Subject: [PATCH]  - Fixed a potential loop bug

---
 library/ctr_drbg.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index cc295c73f..d60770393 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -253,6 +253,7 @@ int ctr_drbg_random_with_add( void *p_rng,
     unsigned char *p = output;
     unsigned char tmp[CTR_DRBG_BLOCKSIZE];
     int cb, i;
+    size_t use_len;
 
     if( output_len > CTR_DRBG_MAX_REQUEST )
         return( POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG );
@@ -293,12 +294,13 @@ int ctr_drbg_random_with_add( void *p_rng,
          */
         aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, tmp );
 
+        use_len = (output_len > CTR_DRBG_BLOCKSIZE ) ? CTR_DRBG_BLOCKSIZE : output_len;
         /*
          * Copy random block to destination
          */
-        memcpy( p, tmp, (output_len > CTR_DRBG_BLOCKSIZE ) ? CTR_DRBG_BLOCKSIZE : output_len );
-        p += CTR_DRBG_BLOCKSIZE;
-        output_len -= CTR_DRBG_BLOCKSIZE;
+        memcpy( p, tmp, use_len );
+        p += use_len;
+        output_len -= use_len;
     }
 
     ctr_drbg_update( ctx, add_input );