On Fri, 11 Apr 2014, Mark Morgan Lloyd wrote:
Michael Van Canneyt wrote:
On Fri, 11 Apr 2014, Mark Morgan Lloyd wrote:
Is my understanding correct that when a string or a dynamic array is
extended it might result in its existing content being released to the
heap?
If so, is it possible to ensure that this is zeroed or randomised first,
without having to do it manually?
Currently not, although such behaviour could easile be introduced as an
option.
Current HeartBleed frenzy getting you (or your bosses) scared ? :)
:-) No, but I don't think enough people are focussing on the real problem
which is that the OpenSSL developers were letting sensitive data leak to the
freelist.
If, when they wrote the code some years ago, they'd been rigorous in their
handling of passwords and private keys then the current bug- introduced in
2012- would have been far less serious.
Correct.
Having looked at the openssl library, I can say it's a miracle it works at all.
Rarely seen such a mess of macros and whatnot, a good showcase of why I think
C is not a good language choice. So, not surprised that it contains leaks :(
OTOH, I think people are hugely exaggerating the problem, considering it was
introduced relatively recently and that I got my security update before it
hit the newspapers.
That is of course not to say that it shouldn't be fixed and people shouldn't
bother.
But the way it is presented is more about scaring people than anything else.
Hysterics...
Michael.
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
