

OpenSSL Heartbeat Code - MIT_Hacker
https://github.com/openssl/openssl/commit/bd6941cfaa31ee8a3f8661cb98227a5cbcc0f9f3?resubmit

======
syncerr
OpenSSL heartbeat bug patch (CVE-2014-0160):

[https://github.com/openssl/openssl/commit/731f431497f463f3a2...](https://github.com/openssl/openssl/commit/731f431497f463f3a2a97236fe0187b11c44aead)

> A missing bounds check in the handling of the TLS heartbeat extension can be
> used to reveal up to 64k of memory to a connected client or server.

Previous discussion:
[https://news.ycombinator.com/item?id=7557825](https://news.ycombinator.com/item?id=7557825)

------
askQi
Can someone explain which part of the code contains the bug and why it is a
bug?

------
smtddr
[https://github.com/openssl/openssl/commit/bd6941cfaa31ee8a3f...](https://github.com/openssl/openssl/commit/bd6941cfaa31ee8a3f8661cb98227a5cbcc0f9f3?resubmit#commitcomment-5945571)

Amelek is being a bit harsh or just plain wrong; I learned a few days ago that
checking malloc's return value means almost nothing:

[https://news.ycombinator.com/item?id=7541585](https://news.ycombinator.com/item?id=7541585)

