Bobby Krupczak wrote:
> 1) In bn_rand.c add at line 141: memset(buf, 0, bytes); =20
>
> buf = (unsigned char *)OPENSSL_malloc(bytes);
> if (buf == NULL)
> {
> BNerr(BN_F_BNRAND,ERR_R_MALLOC_FAILURE);
> goto err;
> }
> memset(buf, 0, bytes);



> 2) bn_mont.c: Initialize tmod variable declared at line 392
>
> memset(&tmod, 0, sizeof(tmod));



Maybe these two items are genuine bugs ? If some code should be using
calloc() instead of malloc() in the first case ?


You have have any simple code that exposes those bugs, simply meaning
just a page of code that when run under valgrind exposes uninit'ed data
is being used (even after a -DPURIFY version of OpenSSL is used).


Darryl
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org