Re: [SystemSafety] OpenSSL Bug

From: Martin Pugh < >
Date: Mon, 14 Apr 2014 21:43:40 +0100

 

Comparing OpenSSL rev 1.0.1 f and g (fixed) The (relevant) changed bit of code appears to be:  

                /* Read type and payload length first */

                if (1 + 2 + 16 > s->s3->rrec.length)

                                return 0; /* silently discard */

                hbtype = *p++;

                n2s(p, payload);

                if (1 + 2 + payload + 16 > s->s3->rrec.length)

                                return 0; /* silently discard per RFC 6520
sec. 4 */
                pl = p;

 

This corrects an implementation error which didn't meet the requirement i.e. RFC6520 sec 4 as the comment says.

All this argument about languages, type checking, array bounds checking etc is irrelevant in this particular instance.

I take my hat off to the open source community for their efforts.

Where would we be without them?

The alternative is to let the NSA provide our "secure" software for us as most commercial organisation won't pay for the development.  

Martin Pugh  

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com




_______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Mon Apr 14 2014 - 22:43:59 CEST

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 03:17:06 CEST