Dne 10.4.2014 12:00, Ronald F. Guilmette napsal(a):
Rather, I was asking, albeit indirectly, whether a program or
library, such as OpenSSL, which is primarily a security-forcused
tool, and upon which a significant fraction of online humanity
depends for its security, is deserving of a "belt and s
In message <867g6x5u2r@nine.des.no>,
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote:
>"Ronald F. Guilmette" writes:
>> Xin Li writes:
>> > For this bug, doing calloc() makes no difference.
>> I would very much like to know how you reached that conclusion.
>
>It's very simple. The explpoit re
"Ronald F. Guilmette" writes:
> Xin Li writes:
> > For this bug, doing calloc() makes no difference.
> I would very much like to know how you reached that conclusion.
It's very simple. The explpoit relies on reading past the end of the
allocated buffer. Clearing the allocated buffer would not
In message <53463a2e.90...@delphij.net>,
Xin Li wrote:
>On 4/9/14, 10:28 PM, Ronald F. Guilmette wrote:
>> 1) Why does OpenSSL even contain a function called
>> "OPENSSL_malloc"? Does anyone other than me think that it might
>> perhaps have been a better choice to provide only a function calle
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 4/9/14, 10:28 PM, Ronald F. Guilmette wrote:
>
> My apologies if the following few naive questions are out of place
> or off topic here. I do suppose that there might perhaps be other
> places where such question might perhaps be better put, b
My apologies if the following few naive questions are out of place
or off topic here. I do suppose that there might perhaps be other
places where such question might perhaps be better put, but many/most/all
of those other places appear to be filled, at present, with discussions
and comments which
