I sent this to openssl-dev previously, but I think it got lost in the noise there (since it didn't go through rt).
In OpenSSL 0.9.6h, there are a couple of BN_init() bugs in crypto/dsa/dsa_ossl.c. The BN_init() calls in question are in the functions: dsa_do_sign() (lines 113-114) dsa_sign_setup() (line 187) dsa_do_verify() (lines 239-241) In all cases, the BN_init() calls need to be moved before the first if statement (so that they are the first functions executed). As written, if you goto the err label before doing the BN_init() call you could cause a crash when you attempt to free a garbage pointer. The same bugs exist in 0.9.7 but on slightly different line numbers. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]