Thanks to code quirks n rants. This is a great example of code with poor readability. Unfortunately this sort of code is all too common in the world of C programming.
Of course, there are many examples of illegible code in every language, my complaint is not so much with the C language. There are many developers who are not happy with the state of the OpenSSL project as seen on http://www.opensslrampage.org I would be surprised if heartbleed was the only bug in OpenSSL and there are no more waiting to be found.
So just recently a vulnerability in OpenSSL’s heartbeat extension was found which was quickly dubbed –Heartbleed. In essence, this bug allows a malicious attacker to read more than an allowed chunk of memory that might contain sensitive information from other sessions i.e. the heart beat extension bleeds memory therefore heartbleed. Its a programming error which is surprisingly more common than we might like to believe. Anyway, so I decided to dig around a little and see if I can find the offending code. On the security advisory on openssl.org it mentions that this vulnerability is in versions until 1.0.1f, the later version 1.0.1g supposedly fixes it. So I downloaded the source code for both versions and did a diff check and found the following function in 1.0.1f (ssl/d1_both.c), you can also see my comments inlined in block quotes (assuming this is the actual function that has the bug):
View original post 628 more words
One thought on “Heartbleed bug – the source code”
Pingback: Why Do We Need Software Craftmanship? | Zombie Code Kill