On Út, 2016-04-26 at 18:25 +0000, Blumenthal, Uri - 0553 - MITLL wrote: > On 4/26/16, 14:20 , "openssl-dev on behalf of Salz, Rich" > <openssl-dev-boun...@openssl.org on behalf of rs...@akamai.com> > wrote: > > > > > > > > > Look. If Doug noticed this, programmers less intimate with this > > > API are > > > much > > > more likely to get stung by it. The protection against such a > > > misunderstanding > > > is cheap. > > Is it? > I think it is. See Doug’s post. > > > > > > And what is that protection? > Checking whether (n, e) passed are pointing at rsa’s own, and not > freeing > them if they do. See Doug’s posting for the details.
No, that gives only false sense of correctness. And in another instance you can try to get n, e from another RSA object and set it to a different one and boom, you have doublefree or use-after-free in your code. I agree that this sequence - get + set should be more precisely documented as forbidden but that's it. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev