On Fri, Mar 02, 2007 at 02:06:09PM +1100, Erik de Castro Lopo wrote: > Hi all, > > I'm working with version 0.9.8c distributed as part of Ubuntu but > I have also veryfied that the same problem exists with the latest > release 0.9.8e.
Please see: http://www.mail-archive.com/openssl-dev@openssl.org/msg21156.html In Debian, since version 0.9.8b-1 those 2 calls are being commented out. I don't know what Ubuntu did to the openssl package, but I assume they still base it on Debian's version. So I can only wonder why Ubuntu's 0.9.8c doesn't have this. Anyway, the memset() you add does remove the warning in some cases. The first place the unintialised values get used is in those MD_Update() calls. There are other places in the code that also call it with an unintialised buffer. I've ran all the regression test thru valgrind, using the memset() solves most of those. As far as I know, commenting out those 2 calls solved all the warnings valgrind reported. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
