[SystemSafety] OpenSSL Bug

Martin Pugh martin.pugh at blueyonder.co.uk
Mon Apr 14 22:43:40 CEST 2014


 

Comparing OpenSSL rev 1.0.1 f and g (fixed) The (relevant) changed bit of
code appears to be:

 

                /* Read type and payload length first */

                if (1 + 2 + 16 > s->s3->rrec.length)

                                return 0; /* silently discard */

                hbtype = *p++;

                n2s(p, payload);

                if (1 + 2 + payload + 16 > s->s3->rrec.length)

                                return 0; /* silently discard per RFC 6520
sec. 4 */

                pl = p;

 

This corrects an implementation error which didn't meet the requirement i.e.
RFC6520 sec 4 as the comment says.

All this argument about languages, type checking, array bounds checking etc
is irrelevant in this particular instance.

I take my hat off to the open source community for their efforts.

Where would we be without them?

The alternative is to let the NSA provide our "secure" software for us as
most commercial organisation won't pay for the development.

 

Martin Pugh

 



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140414/af06013b/attachment.html>


More information about the systemsafety mailing list