Hi all! * Jeffrey Walton Sent: Friday, May 25, 2012 4:39 PM > On Fri, May 25, 2012 at 7:25 AM, Sudarshan Raghavan > <sudarshan.t.ragha...@gmail.com> wrote: > > Ok, I can fix the custom free to take care of this. > > But, why is this happening in openssl 1.0.1 and not in 1.0.0 or > > 0.9.8? > > I think the question to ask is why your code or library > routines are not validating parameters before operating on > them. Its a hostile world full of mis-users and adversaries - > look for any reason to deny processing (and if you can't find > a reason, begrudgingly perform the processing).
I think in this case the parameter *cannot* be checked. The passed parameter is a pointer to dynamically allocated memory and a C application has not way to correctly check a pointer for being valid. It can be a valid pointer to static .text or to already freed dynamic memory, it could be a wild pointer or some other dangling one. Of course it is possible to add some checks like for non-equal to NULL or non-equal to "whatever limited list of known invalid pointers" (also pointers to functions cannot be freed etc), but I think this only missleadingly suggests that a function would be able to check its pointer arguments. I think crashing with NULL is quite good: a must-not-happen situation leads to a defined dead of SIGSEGVs, at least for platforms supporting that, typically with good aid for debuggin (like core files or halting debuggers providing a backtrace). Maybe adding an assert() before. oki, Steffen -- [end of message] About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 17 million terminals deployed in more than 125 countries. Over 3,600 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
