> I've written a network app using pthreads, ssl, and xml.
>
> I use xml over tcp over ssl and all of that is working fine.
>
> Whilest chasing down what I thought was a bug, I started using
> valgrind on my app.
>
> I'm receiving thousands of "uninitialized value and conditional jump"
> errors triggered by the data that I receive via SSL_read.
>
> [I'm not worried about the alleged valgrind errors within SSL itself
> due to randomizing, etc.]
>
> I've run test programs using pthreads and xml parsing (extracted out
> of my code) and they do not trigger the errors when used w/o SSL.
>
> So, I'm struggling to understand why the data received via sockets
> from the network and through SSL would trigger these kinds of
> warnings. Literally, every packet/pdu I receive and parse triggers
> these errors. The data is valid and the PDUs are correct thus my
> confusion.
>
> Has anyone ever seen this and know how to fix/correct?
Look at any code that you use with SSL but not without. One common thing
that can trigger this is if you run 'strlen', 'strchr', or something like
that on the received data.
Consider:
char buf[1024];
int i, j;
buf[1024]=0; // to make sure we don't run off the end
j=SSL_read(ssl, buf, 1000)
if(j<=0) return;
i=strlen(buf);
if(i<j) // data contained an embedded zero
{
...
This is legal/safe code. However, it does read uninitialized data. The value
of the uninitialized data can affect 'i', but not whether or not 'i' is less
than 'j'. The tool will correctly report that the value of 'i' is
indeterminate.
But that's just a guess. It's very hard to say without knowing what your
code looks like.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
