I agree. Passing NULL to a free function is most likely due to a bug. Given that would you rather assert and find out the reason or ignore. I would assume the defensive option would be to assert and analyze the core. My 2 cents.
Regards, Sudarshan On 25-May-2012 8:39 PM, "Steffen DETTMER" <steffen.dett...@ingenico.com> wrote: > Hi all! > > * Jeffrey Walton Sent: Friday, May 25, 2012 4:39 PM > > On Fri, May 25, 2012 at 7:25 AM, Sudarshan Raghavan > > <sudarshan.t.ragha...@gmail.com> wrote: > > > Ok, I can fix the custom free to take care of this. > > > But, why is this happening in openssl 1.0.1 and not in 1.0.0 or > > > 0.9.8? > > > > I think the question to ask is why your code or library > > routines are not validating parameters before operating on > > them. Its a hostile world full of mis-users and adversaries - > > look for any reason to deny processing (and if you can't find > > a reason, begrudgingly perform the processing). > > I think in this case the parameter *cannot* be checked. The passed > parameter is a pointer to dynamically allocated memory and a C > application has not way to correctly check a pointer for being valid. > It can be a valid pointer to static .text or to already freed dynamic > memory, it could be a wild pointer or some other dangling one. > > Of course it is possible to add some checks like for non-equal to NULL > or non-equal to "whatever limited list of known invalid pointers" (also > pointers to functions cannot be freed etc), but I think this only > missleadingly suggests that a function would be able to check its > pointer arguments. > > I think crashing with NULL is quite good: a must-not-happen situation > leads to a defined dead of SIGSEGVs, at least for platforms supporting > that, typically with good aid for debuggin (like core files or halting > debuggers providing a backtrace). Maybe adding an assert() before. > > oki, > > Steffen > > -- > [end of message] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > About Ingenico: Ingenico is a leading provider of payment, transaction and > business solutions, with over 17 million terminals deployed in more than > 125 countries. Over 3,600 employees worldwide support merchants, banks and > service providers to optimize and secure their electronic payments > solutions, develop their offer of services and increase their point of > sales revenue. > More information on http://www.ingenico.com/. > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. > P Please consider the environment before printing this e-mail > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
