[ROS] The perils of security tools
Ben Laurie
ben at links.org
Wed May 14 05:34:22 EDT 2008
Jonathan S. Shapiro wrote:
> Ben: I'm idly curious. Was this exceptionally unusual case where use of
> uninitialized memory was valid properly commented in the code?
Well. Kinda. It didn't really explain why:
i=fread(buf,1,n,in);
if (i <= 0) break;
/* even if n != i, use the full array */
RAND_add(buf,n,(double)i);
There is in theory a second place where it might used an uninitialised
buffer, but I think in practice that never happens.
I'd note that ISO/IEC 9899 says the result of doing this is undefined,
so I am inclined to remove it from future releases.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list