[sslh] libevent port?
ondra+sslh at mistotebe.net
ondra+sslh at mistotebe.net
Tue Sep 17 00:05:43 CEST 2013
On Mon, Sep 16, 2013 at 04:40:41PM +0200, ondra+sslh at mistotebe.net wrote:
>>> Do you maintain a TODO list for sslh anywhere? If you do, here are a few
>>> ponies I've collected since starting to use it:
>>> - harden the probes to work with arbitrary ingres data (some probes
>>> use strstr and similar)
>>
>> I'm confused: the string library functions are all used
>> against constant strings, which I believe introduces no
>> security issue. What are you thinking about?
>
> The incoming data might have embedded NULs or might not be
> NUL-terminated at all. I believe some probes will only work by chance
> then.
I've fixed the probes not to try reading the unitialized data.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-probes-work-even-in-the-face-of-arbitrary-data.patch
Type: text/x-diff
Size: 4073 bytes
Desc: not available
URL: <http://rutschle.net/pipermail/sslh/attachments/20130917/2bd5427c/attachment-0001.patch>
More information about the sslh
mailing list