From owner-freebsd-security@FreeBSD.ORG  Thu Apr 10 10:59:09 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 197B263C
 for <freebsd-security@freebsd.org>; Thu, 10 Apr 2014 10:59:09 +0000 (UTC)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id CF8711368
 for <freebsd-security@freebsd.org>; Thu, 10 Apr 2014 10:59:08 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id E76FA6EC9;
 Thu, 10 Apr 2014 10:59:07 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 91360AB9; Thu, 10 Apr 2014 12:59:08 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
Subject: Re: Heartbleed, a few naive questions
References: <42638.1397124000@server1.tristatelogic.com>
Date: Thu, 10 Apr 2014 12:59:08 +0200
In-Reply-To: <42638.1397124000@server1.tristatelogic.com> (Ronald
 F. Guilmette's message of "Thu, 10 Apr 2014 03:00:00 -0700")
Message-ID: <867g6x5u2r.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 10:59:09 -0000

"Ronald F. Guilmette" <rfg@tristatelogic.com> writes:
> Xin Li <delphij@delphij.net> writes:
> > For this bug, doing calloc() makes no difference.
> I would very much like to know how you reached that conclusion.

It's very simple.  The explpoit relies on reading past the end of the
allocated buffer.  Clearing the allocated buffer would not have made any
difference.  The problem is the size of the buffer, not its contents.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no