Package: slurm-llnl
Severity: serious
Tags: security
Hi,
I've been checking packages to see if they properly check the return
value of some of the functions in openssl. In
src/plugins/crypto/openssl/crypto_openssl.c there is this piece of code:
rc = EVP_VerifyFinal(&ectx, (unsigned char *) signature,
sig_size, (EVP_PKEY *) key);
if (!rc)
rc = SLURM_ERROR;
else
rc = SLURM_SUCCESS;
But EVP_VerifyFinal() can also return -1 on errors. A good way to check
the value would be something like:
if (rc <= 0)
I have no idea if this code is being used and what the consequences
of this might be.
Kurt
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]