Today's bugs have BRANDS? Be still my bleeding heart [logo]
Code-slinger Verity reviews the rash of groovy-named open-source security vulns
Bug #3: Heartbleed
Heartbleed is the first bug of my experience to come with its own logo. If this catches on, the designer fees alone will soon send the most agile development cycle spiralling out of control.
Needless to say, it is a fragment of C code that causes the trouble. However, unlike the previous efforts, I would say that this is proper C code, in the sense that it is full of the clatter of pointer arithmetic and chatter of the in-place post-increment operator. Atari BASIC could not cut this mustard.
By all means have a look; the action all takes place around line 2400.
With a crunching noise, an in-place macro pseudo-function bites off the length target buffer and hands the result to
malloc(). A swift
memcpy() and some random bytes piped on top by way of decoration and before you have had time to think 'I don't much care for this bracing style' whoosh! it's all done, with the smoothness and grace of a Bruce Forsyte fresh from an invigorating massage. To complain that it has just sent over a few clear text passwords and a brace of private keys, flotsam caught up in the mesh of an oversized buffer, feels like cavilling.
But RFC 6520 Section 4 says If a received HeartbeatResponse message does not contain the expected payload, the message MUST be discarded silently. So, there.
And I hope you will forgive my banging on about this, but if it were written in C++, it would be easier to arrange things so that, for example, transmission buffers automatically checked the size of data they were supposed to be copying. Just saying.
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust