Hi,
On Wed, 2004-09-29 at 10:50, Leonard den Ottolander via RT wrote:
> Hello,
>
> Going through Red Hat's 7.3 openssl-0.9.6b-35.7 openssl-0.9.6b-sec.patch
> I noticed that in openssl-engine-0.9.6m (& SNAP 2004-09-26) there is a
> hunk from this patch missing. Everything else has been merged, so I
> believe this to be an unintentional omission.
>
> In RHL 7.3's openssl-0.9.6b-sec.patch there is this one hunk:
>
> --- ./ssl/ssl_asn1.c.chats Thu Apr 5 21:28:48 2001
> +++ ./ssl/ssl_asn1.c Thu Jul 25 16:41:00 2002
> @@ -275,6 +276,7 @@
> os.length=i;
>
> ret->session_id_length=os.length;
> + die(os.length <= sizeof ret->session_id);
> memcpy(ret->session_id,os.data,os.length);
>
> M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
>
> In 0.9.6m die() is usually substituted with a
> + if (os.length > sizeof ret->session_id)
> + {
> + SSLerr(,);
> + return -1;
> + }
> block.
>
> In 0.9.6m this check is missing and should be added:
>
> ret->session_id_length=os.length;
> memcpy(ret->session_id,os.data,os.length);
>
> It is there in 0.9.7d:
>
> ret->session_id_length=os.length;
> OPENSSL_assert(os.length <= sizeof ret->session_id);
> memcpy(ret->session_id,os.data,os.length);
>
> The fact that there is an OPENSSL_assert in 0.9.7d makes me believe the
> hunk was dropped unintentionally in the 0.9.6 branch, and should be
> reintroduced.
>
> The patch below reintroduces die(), and the declaration of OpenSSLDie().
> The definition of OpenSSLDie() is still in cryptlib.c. If you decide to
> use another construct instead of die() the definition of OpenSSLDie()
> should probably be removed.
>
> Leonard.
>
> P.S. The bug report page that is mentioned in the README
> (http://www.openssl.org/rt2.html) seems to no longer exist. Maybe the
> README can be updated?
Any progress on this issue?
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]