[openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Mon Jun 20 21:04:26 UTC 2016


On 6/20/16, 16:48 , "openssl-dev on behalf of Rich Salz via RT"
<openssl-dev-bounces at openssl.org on behalf of rt at openssl.org> wrote:

>You are not supposed to pass NULL into OpenSSL API's. Just like doing
>this will
>cause a crash strcpy(NULL, "hello”) in a C program.

Defensive programming is about handling gracefully the cases when the
user/caller does something he “is not supposed to do”.

I don’t know if this is an exploitable bug, nor do I care to craft a
threat model to assess how bad it could be - but this whole approach
doesn’t sound endearing to me. Software that relies on its users doing
only the right things…? Really?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5227 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160620/9ae92993/attachment.bin>


More information about the openssl-dev mailing list