Nils Larsch via RT wrote:
> Daniel Brahneborg via RT wrote:
>>I'm using Valgrind to debug a program that uses the OpenSSL
>>libraries, and got warnings about uninitialized data in the
>>function RSA_padding_add_PKCS1_type_2(), on the line with
>>"} while (*p == '\0');" (line 171 in version 0.9.7a). The
>>following patch ensures that the data is always modified,
>>something that the bytes() method obviously fails to do.
>
> If it's a bug in bytes() why do you change RAND_bytes(),
> wouldn't it be more appropriate to patch the bytes() function
> of the correspondig RAND_METHOD ? RAND_bytes() is only a
> wrapper function to call the bytes() function from the
> RAND_METHOD object (if existing).
Obviously patching the real bytes() is the proper way to
do it, but since I didn't have the time to further examine
where the uninitialized variable came from, patching
RAND_bytes() became the easy (and simple) solution for me.
At lines 467-469 in crypto/rand/md_rand.c is an interesting
thing:
#ifndef PURIFY
MD_Update(&m,buf,j); /* purify complains */
#endif
That is the code that causes the problem (I just verified
it with Valgrind). Does it have any bad side affects to
always skip that code? Since both Purify and Valgrind is
unhappy with that function call, something must be wrong
with it.
/Basic
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
