ssl/ssl_ciph.c: int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { ... if (ssl_comp_methods && !sk_SSL_COMP_find(ssl_comp_methods,comp)) { OPENSSL_free(comp); MemCheck_on(); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID); return(1); } ... }
The "!sk_SSL_COMP_find()" looks wrong to me, I expect sk_SSL_COMP_find() to return the index of the matching entry, not true/false. So the test is only correct when the index of the matching entry is zero (just one entry on the stack). This looks somewhat similar to the 0.9.8j fix for true/false tests mis-applied to a non-boolean result from EVP_VerifyFinal(). Can a more systematic audit be performed to identify any other similar instances? First one needs a list of integer-valued functions where 0 vs. non-zero return values are semantically dubious, and then a search for boolean tests of the return value from such functions. Don't know whether any static code analyzers can help to identify this type of problem. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org