[124216] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [ROS] The perils of security tools

daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu May 22 12:17:40 2008

Date: Wed, 14 May 2008 10:34:22 +0100
From: Ben Laurie <ben@links.org>
To: "Jonathan S. Shapiro" <shap@eros-os.com>
CC: Robust Open Source <open-source@csl.sri.com>, 
 Cryptography <cryptography@metzdowd.com>
In-Reply-To: <1210695016.14939.10.camel@shaptop.om-md.eros-os.com>

Jonathan S. Shapiro wrote:
> Ben: I'm idly curious. Was this exceptionally unusual case where use of
> uninitialized memory was valid properly commented in the code?

Well. Kinda. It didn't really explain why:

		i=fread(buf,1,n,in);
		if (i <= 0) break;
		/* even if n != i, use the full array */
		RAND_add(buf,n,(double)i);

There is in theory a second place where it might used an uninitialised 
buffer, but I think in practice that never happens.

I'd note that ISO/IEC 9899 says the result of doing this is undefined, 
so I am inclined to remove it from future releases.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post