Viktor Dukhovni: > Postfix could have employed the OpenSSL feature that allows > applications to supply their own malloc/free to prevent leakage of > data in freed memory, and perhaps I'll look into that, but it is
I started looking into this, and the result is "forget it". OpenSSL maintains its own free list which breaks a memset() based defense. And that is not all. If this list is turned off some code fails due to a read-after-free bug. http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse Wietse
