[openssl-dev] [openssl.org #3882] [BUGFIX] lh_SSL_SESSION_delete() not checked
Short, Todd
tshort at akamai.com
Sun May 31 19:23:18 UTC 2015
No,
The second code sample removes a matching instance, but not necessarily the same instance. If they are not the same instance, then it would need to be re-inserted in and else clause.
This is a fine distinction.
This would leave to having the list and hash not contain the same contents: Either the number of items is different, or the two sets of items are different.
There's a similar example in the code, I believe, but I'd have to search for it.
--
-Todd Short
// tshort at akamai.com
// Sent from my iPhone
// "One if by land, two if by sea, three if by the Internet."
> On May 31, 2015, at 12:43 PM, Richard Levitte via RT <rt at openssl.org> wrote:
>
> You solution does the following:
>
> if (lh_SSL_SESSION_retrieve(p->cache, s) == s) {
> (void)lh_SSL_SESSION_delete(p->cache, s);
> ...
>
> Would you agree that the following does the same?
>
> if (lh_SSL_SESSION_delete(p->cache, s) == s) {
> ...
>
>
>> On Sat May 30 09:48:06 2015, tshort at akamai.com wrote:
>> Hello OpenSSL Org:
>>
>> This is a change that Akamai has made to its
>> implementation of OpenSSL.
>>
>> Version: master branch
>> Description:
>> lh_SSL_SESSION_delete() not checked
>>
>> Fix an OpenSSL issue where the
>> return code of lh_SSL_SESSION_delete()
>> is not checked, causing a
>> stale reference in the lhash.
>>
>> Github link:
> https://github.com/akamai/openssl/commit/3a114c2f0e3bf241732fef7a2d339a230ca68abc
>> And attachment.
>>
>> Thank you.
>> --
>> -Todd Short
>> // tshort at akamai.com
>> // “One if by land, two if by sea, three if by the Internet.”
>
>
> --
> Richard Levitte
> levitte at openssl.org
>
More information about the openssl-dev
mailing list