[170907] in North American Network Operators' Group
Re: DNSSEC?
daemon@ATHENA.MIT.EDU (Michael Thomas)
Sat Apr 12 10:17:35 2014
Date: Sat, 12 Apr 2014 07:17:16 -0700
From: Michael Thomas <mike@mtcc.com>
To: nanog@nanog.org
In-Reply-To: <CAAAwwbXZwAwR0wOc-oPRrq+J_+=yBTtRsGPQ-RGQB-k_6UYU2Q@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/11/2014 10:45 PM, Jimmy Hess wrote:
>
> The vulnerability is related to re-used memory pages within the same process.
> It also does not help that OpenSSL has its own wrapper around malloc()
>
> And instead of using the standard system libraries for memory
> allocation, apparently uses a high-risk memory allocation policy,
> that maximizes the exploitability of vulns like the Heartbeat
> extension issue, and prevents security mitigations from working
> that would otherwise be effective.....:
>
>
Malloc doesn't write over to-be allocated memory, calloc does. Using a
wrapper is hardly unusual or controversial -- malloc can be expensive, and
keeping lookaside list for, say, commonly used and fixed sized blocks is, or
at least used to be, a big performance win.
Far from getting rid of evul wrappers, it seems to me that if they were
smart with
their wrappers they'd have wrapper routine for anything vaguely associated
with wire output that zeros the allocated memory.
Mike
