ssl/ssl_ciph.c:
int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
{
...
if (ssl_comp_methods
&& !sk_SSL_COMP_find(ssl_comp_methods,comp))
{
OPENSSL_free(comp);
MemCheck_on();
SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID);
return(1);
}
...
}
The "!sk_SSL_COMP_find()" looks wrong to me, I expect sk_SSL_COMP_find()
to return the index of the matching entry, not true/false. So the test
is only correct when the index of the matching entry is zero (just one
entry on the stack).
This looks somewhat similar to the 0.9.8j fix for true/false tests
mis-applied to a non-boolean result from EVP_VerifyFinal(). Can a more
systematic audit be performed to identify any other similar instances?
First one needs a list of integer-valued functions where 0 vs. non-zero
return values are semantically dubious, and then a search for boolean
tests of the return value from such functions. Don't know whether any
static code analyzers can help to identify this type of problem.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
