[Issue 10224] tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library

7 Jun 2024


      https://bugs.openldap.org/show_bug.cgi?id=10224
Howard Chu hyc@openldap.org changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |trivial
--- Comment #2 from Howard Chu hyc@openldap.org ---
(In reply to yaneurabeya from comment #0)
...
Not checking the EVP* calls can result in undefined behavior, e.g., a
library crash with SIGBUS, SIGSEGV, etc, and/or incorrect results when
analyzing `keyhash.bv_val` later.
Nonsense. The only thing that happens with the keyhash.bv_val is to perform a
memcmp, and the bv_val points to valid stack memory. SIGBUS, SIGSEGV,
any crash is impossible. An incorrect result only means the session check
will be rejected.
The outcome would be the same regardless of whether or not this was patched.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 10224] tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library