Package: libnasl
Severity: serious
Tags: security
Hi,
I've been checking packages to see if they properly check the return
value of some of the functions in openssl. In nasl/nasl_crypto2.c
there is this code:
if (DSA_do_verify((unsigned char*)data, datalen, sig, dsa))
retc->x.i_val = 1;
But DSA_do_verify() can return 0 or -1 in case of errors. A good way
to check the value would be something like:
if (DSA_do_verify((unsigned char*)data, datalen, sig, dsa) == 1)
I have no idea if this code is being used and what the consequences
of this might be.
Kurt
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
