Couple of comments on the openssl heartbeat fix.

2 points by tkinom ↗ HN
Couple comments when looking at the ssl heartbeat error patch code:<p>http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3<p>+ if (1 + 2 + 16 > s->s3->rrec.length) + return 0; /* silently discard */<p>1) Instead of "silently discard", wouldn't be a better idea to log so the server/ops team can easily see where the attacks come from or to know the server is under attack.<p><pre><code> Maybe at lease as compile and/or config options. </code></pre> 2) Such critical code fixed/checkin doesn't have any corresponding test coverage code.

0 comments

[ 3.6 ms ] story [ 13.2 ms ] thread

No comments yet.