A serious security bug... caused by no bounds checking.
Kagamin
spam at here.lot
Fri Apr 11 04:38:54 PDT 2014
On Thursday, 10 April 2014 at 07:14:10 UTC, Marco Leise wrote:
> Am Thu, 10 Apr 2014 06:51:40 +0000
> schrieb "w0rp" <devw0rp at gmail.com>:
>
>> On Wednesday, 9 April 2014 at 12:36:49 UTC, Marco Leise wrote:
>> > Sorry, but wasn't this security risk instead caused by
>> > uninitialized memory, and shouldn't you instead have said:
>> >
>> > "I'm glad to be using a language with default
>> > initialization?"
>>
>> Nope, it was caused by missing bounds checking.
>>
>> https://www.openssl.org/news/secadv_20140407.txt
>>
>> > A missing bounds check [...]
>
> Haha, I tried to read that about an hour ago to inform myself,
> but it still doesn't load for me.
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
The server copies data received from the client and sends it
back, the length is specified (or forged) by the client,
everything is initialized just fine.
More information about the Digitalmars-d
mailing list