On Mon, Feb 03, 2003 at 01:52:02PM -0800, Sumeet Singh wrote: > > Hi,
Hi. > I notice a possible bug in the asn1_lib.c patch for openssl v.95a > that was sent out in the following email. > [1]http://marc.theaimsgroup.com/?l=openssl-users&m=102811486104274&w=2 > . In this email Ademar de Souza Reis Jr. has backported some fixes > from 0.97-dev into the patch Ben Laurie sent out. > One of the hunks (attached below) introduces the following line > into asn1_lib.c in the function asn1_get_length. > if (*plength > (omax - (*pp - p))) > The above code makes my apache (v 1.3.12 with some modifications) > dump core. > However, the code in openssl v 0.97 is as follows and my apache > works fine if I modify the code to this. > if (*plength > (omax - (p - *pp))) This last one (as found in 0.97) is the right one. The patch I backported was bogus, and fixed a day later in CVS, as you can see in the link below: http://cvs.openssl.org/filediff?f=openssl/crypto/asn1/asn1_lib.c&v1=1.19.2.3&v2=1.19.2.4 > The rest of the function code in v0.97 is identical to that in > 0.95a. Could somebody confirm that the patch is wrong and that the > code should be modified as shown above? You can safely use the last one (we have it applied in our distributed packages for previous Conectiva Linux working just fine) []'s - Ademar -- Ademar de Souza Reis Jr. <[EMAIL PROTECTED]> http://www.ademar.org ^[:wq! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
