Hi!
> Bobby Krupczak wrote:
>> 1) In bn_rand.c add at line 141: memset(buf, 0, bytes); =20
>>
>> buf = (unsigned char *)OPENSSL_malloc(bytes);
>> if (buf == NULL)
>> {
>> BNerr(BN_F_BNRAND,ERR_R_MALLOC_FAILURE);
>> goto err;
>> }
>> memset(buf, 0, bytes);
>
>
>> 2) bn_mont.c: Initialize tmod variable declared at line 392
>> memset(&tmod, 0, sizeof(tmod));
>
>
> Maybe these two items are genuine bugs ? If some code should be using
> calloc() instead of malloc() in the first case ?
>
>
> You have have any simple code that exposes those bugs, simply meaning just
> a page of code that when run under valgrind exposes uninit'ed data is being
> used (even after a -DPURIFY version of OpenSSL is used).
The example client/server code from the book NSwO demonstrated the
problem even after -DPURIFY was used to build openssl.
I'm not sure it is a bug or not. I guess it would be up to the
openssl maintainers and developers to decide.
Thanks,
Bobby
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]