RFR JDK-8003245

Chris Hegarty chris.hegarty at oracle.com
Thu May 30 16:09:48 UTC 2013


[cc'ing security-dev since this change is in their area]

John,

http://cr.openjdk.java.net/~jzavgren/8003245/webrev.01/

The changes in your above webrev look fine to me. I can sponsor this for 
you, unless someone from the security area wants to, or even additional 
reviews.

-Chris.


On 03/27/2013 04:30 PM, John Zavgren wrote:
> Florian:
>
> Yes, the uninitialized memory will be accessed in some cases, for example:
> @@ -1733,10 +1747,12 @@
>       CK_X9_42_DH1_DERIVE_PARAMS ckParam;
>       jfieldID fieldID;
>       jlong jKdf;
>       jobject jOtherInfo, jPublicData;
>
> +    memset(&ckParam, 0, sizeof(CK_X9_42_DH1_DERIVE_PARAMS));<--- added initialization
> +
>       /* get kdf */
>       jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS);
>       if (jX942Dh1DeriveParamsClass == NULL) { return ckParam; }
>       fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "kdf", "J");
>       if (fieldID == NULL) { return ckParam; }
>
> ----- Original Message -----
> From: fweimer at redhat.com
> To: john.zavgren at oracle.com
> Cc: core-libs-dev at openjdk.java.net
> Sent: Wednesday, March 27, 2013 11:48:57 AM GMT -05:00 US/Canada Eastern
> Subject: Re: RFR JDK-8003245
>
> On 03/20/2013 04:27 PM, John Zavgren wrote:
>> Please consider the following changes that eliminate the use of uninitialized memory.
>
>> http://cr.openjdk.java.net/~jzavgren/8003245/webrev.01/
>
> Is the uninitialized memory accessed on the error paths?
>



More information about the security-dev mailing list