return value of RAND_bytes() is not checked

Status: Beta

Brought to you by: locofungus, stelian, vapier

#170 return value of RAND_bytes() is not checked

Milestone: None

Status: closed-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-01-01

Created: 2017-06-30

Creator: Kristýna Streitová

Private: No

In common/transformation_ssl.c dump uses RAND_bytes() function without checking of the return value [1].

It seems that this code is not currently used (transformation_ssl_factory() function is currently not called) but if it will be used in the future, this can be considered security issue (resulting in a useless salt).

Thanks Daniel Molkentin (daniel.molkentin@suse.com) for finding this potential issue.

[1] https://sourceforge.net/p/dump/code/ci/master/tree/common/transformation_ssl.c#l518

Discussion

Mike Frysinger - 2021-01-01

thanks, should be fixed in faa1df059b565cca2532dac2a8f93678f8fe163b

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mike Frysinger - 2021-01-01

status: open --> closed-fixed

Group: -->
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

return value of RAND_bytes() is not checked

Group

Searches

Help

#170 return value of RAND_bytes() is not checked

Discussion