On Thursday, 10 April 2014 at 07:14:10 UTC, Marco Leise wrote:
Am Thu, 10 Apr 2014 06:51:40 +0000
schrieb "w0rp" <[email protected]>:
On Wednesday, 9 April 2014 at 12:36:49 UTC, Marco Leise wrote:
> Sorry, but wasn't this security risk instead caused by
> uninitialized memory, and shouldn't you instead have said:
>
> "I'm glad to be using a language with default
> initialization?"
Nope, it was caused by missing bounds checking.
https://www.openssl.org/news/secadv_20140407.txt
> A missing bounds check [...]
Haha, I tried to read that about an hour ago to inform myself,
but it still doesn't load for me.
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
The server copies data received from the client and sends it
back, the length is specified (or forged) by the client,
everything is initialized just fine.
