Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Heartbleed occurred because the size of the buffer was based on the size provided by the malicious packet, the buffer was not zeroed, and then the user-provided data was written to the buffer. If user-provided-data size was less than what you said it was, the rest of the buffer contained whatever it had previously contained.


And since people were able to recover SSL keys, does this not mean that this buffer was used for... everything? Having a non zeroing allocator for an entire library seems rather ambitious. It's significantly worse then just having a buffer pool for, say, incoming packets or something.


Oh yes, using buffers without zeroing them is a terrible idea, and sharing those buffers among different types of things is a terrible idea.

I was specifically commenting on the fact that what the parent comment described as "terribly unlikely" is in fact what happened.


There was no buffer reuse like in the linked rust demonstration, but it was data from previous allocations.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: