On 6/20/16, 16:48 , "openssl-dev on behalf of Rich Salz via RT" <openssl-dev-boun...@openssl.org on behalf of r...@openssl.org> wrote:
>You are not supposed to pass NULL into OpenSSL API's. Just like doing >this will >cause a crash strcpy(NULL, "hello”) in a C program. Defensive programming is about handling gracefully the cases when the user/caller does something he “is not supposed to do”. I don’t know if this is an exploitable bug, nor do I care to craft a threat model to assess how bad it could be - but this whole approach doesn’t sound endearing to me. Software that relies on its users doing only the right things…? Really?
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev