Fiddly buffer overrun in OpenSSL
February 2, 2015
TrustInSoft reported bugs in Open SSL
John’s blog is hosting a post, co-authored by me, about one of the more entertaining “bugs” reported by TrustInSoft in OpenSSL. In this case the behavior was intended, and looked like a good idea when the code was originally written. I see this anecdote as a continuation of the “sociology of open-source security fixes” series. Unlike the situation in the first two posts of that series, here the codebase has a long history, with some parts of it going back twenty years, but practices have changed and compilers have changed.
The incongruous pattern was present in both LibreSSL and OpenSSL, and has now been cleaned-up from both. Many thanks to all maintainers of aging open-source software, it is a difficult task.