On Fri, 11 Apr 2014 12:21:06 -0400, Marco Leise <[email protected]> wrote:
Am Fri, 11 Apr 2014 11:38:54 +0000
schrieb "Kagamin" <[email protected]>:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
The server copies data received from the client and sends it
back, the length is specified (or forged) by the client,
everything is initialized just fine.
Ah, so this is a typical ping packet, where you copy all
payload bytes from the client's packet and send them back.
Just that in this case the client can write anything into
the length header and OpenSSL would try to copy as many bytes
from the client provided packet into the answer packet, even if
that means reading beyond the end of that packet.
This still doesn't touch D's array bounds checking at all,
because the array pointer and length come from an unreliable
source to begin with!
But in a D-created struct, the data would be an array, instead of a
ptr+length.
-Steve
