CERT.MSC.SEED

Properly seed pseudorandom number generators.

This checker highlights calls to random() that are not seeded by a call to srandom().

Vulnerability and risk

Calling a pseudorandom number generator in the same initial state, either without seeding it explicitly or by seeding it with the same value, results in generating the same sequence of random numbers in different runs of the program.

Vulernable code example

void func(void) {
    for (unsigned int i = 0; i < 10; ++i) {
        /* Always generates the same sequence */
        printf("%ld, ", random());
    }
}

This noncompliant code example generates a sequence of 10 pseudorandom numbers using the random() function. When random() is not seeded, it behaves like rand(), producing the same sequence of random numbers each time any program that uses it is run.

External guidance

CERT MSC32-C: Properly seed pseudorandom number generators

CERT.MSC.SEED_RANDOM

Vulnerability and risk

Vulernable code example

External guidance