A serious security bug... caused by no bounds checking.
Marco Leise
Marco.Leise at gmx.de
Fri Apr 11 09:21:06 PDT 2014
Am Fri, 11 Apr 2014 11:38:54 +0000
schrieb "Kagamin" <spam at here.lot>:
> On Thursday, 10 April 2014 at 07:14:10 UTC, Marco Leise wrote:
> > Am Thu, 10 Apr 2014 06:51:40 +0000
> > schrieb "w0rp" <devw0rp at gmail.com>:
> >
> >> On Wednesday, 9 April 2014 at 12:36:49 UTC, Marco Leise wrote:
> >> > Sorry, but wasn't this security risk instead caused by
> >> > uninitialized memory, and shouldn't you instead have said:
> >> >
> >> > "I'm glad to be using a language with default
> >> > initialization?"
> >>
> >> Nope, it was caused by missing bounds checking.
> >>
> >> https://www.openssl.org/news/secadv_20140407.txt
> >>
> >> > A missing bounds check [...]
> >
> > Haha, I tried to read that about an hour ago to inform myself,
> > but it still doesn't load for me.
>
> http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
> The server copies data received from the client and sends it
> back, the length is specified (or forged) by the client,
> everything is initialized just fine.
Ah, so this is a typical ping packet, where you copy all
payload bytes from the client's packet and send them back.
Just that in this case the client can write anything into
the length header and OpenSSL would try to copy as many bytes
from the client provided packet into the answer packet, even if
that means reading beyond the end of that packet.
This still doesn't touch D's array bounds checking at all,
because the array pointer and length come from an unreliable
source to begin with!
--
Marco
More information about the Digitalmars-d
mailing list