On 4/26/16, 11:43 , "openssl-dev on behalf of Tomas Mraz" <openssl-dev-boun...@openssl.org on behalf of tm...@redhat.com> wrote:
>On Út, 2016-04-26 at 10:16 -0500, Douglas E Engert wrote: >> Let me update my response. >> If I am reading GH#995 correctly it still has an issue if a user >> does: >> >> RSA_get0_key(rsa, n, e, NULL); /* note this is a GET0 */ >> /* other stuff done, such as calculating d */ >> RSA_set0_key(rsa, n, e, d); >> >> rsa is left with n and e pointing to unallocated storage. > >This is programmer error in your code because the RSA_get0_key is >documented to just return internal data and must not be freed. Thus >you're not allowed to pass the returned values to RSA_set0_key(). May I suggest that this (obvious to you) text be added to the manual page for both _get0_key() and _set0_key()? [Yes it would be redundant, but IMHO better than allowing a harried programmer making a silly mistake “because he should’ve known better".]
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
