A serious security bug... caused by no bounds checking.
Steven Schveighoffer
schveiguy at yahoo.com
Fri Apr 11 09:36:40 PDT 2014
On Fri, 11 Apr 2014 12:21:06 -0400, Marco Leise <Marco.Leise at gmx.de> wrote:
> Am Fri, 11 Apr 2014 11:38:54 +0000
> schrieb "Kagamin" <spam at here.lot>:
>> http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
>> The server copies data received from the client and sends it
>> back, the length is specified (or forged) by the client,
>> everything is initialized just fine.
>
> Ah, so this is a typical ping packet, where you copy all
> payload bytes from the client's packet and send them back.
> Just that in this case the client can write anything into
> the length header and OpenSSL would try to copy as many bytes
> from the client provided packet into the answer packet, even if
> that means reading beyond the end of that packet.
>
> This still doesn't touch D's array bounds checking at all,
> because the array pointer and length come from an unreliable
> source to begin with!
But in a D-created struct, the data would be an array, instead of a
ptr+length.
-Steve
More information about the Digitalmars-d
mailing list