[Cryptography] Heartbleed and malloc

Salz, Rich rsalz at akamai.com
Fri May 9 11:12:53 EDT 2014


> It looks like the Heartbeat extension did not used the free-list tools 

Are you talking about the REUSE_BUFFER stuff?  Yes, that's really only used for standard application traffic (SSL_read, SSL_write).

>  but from what I can determine, as long as debug modes are off, OPENSSL_malloc gets redefined in a series of steps to be the operating system malloc.

Yes.  It is also possible to do run-time redirection (see the CRYPTO_set_*_mem_functions ) but they are tricky and undocumented.
 
> if our reading is correct, Theo's critique may have been too harsh.

Imagine that.

	/r$
--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz at jabber.me; Twitter: RichSalz


More information about the cryptography mailing list