. The design is just plain wrong.

Is that statement the benefit of hindsight knowledge, or do you have a more intelligent thought process behind it? (I can imagine the all-knowing smirk in the background, but I'd really like to know :-)

- DM

On Apr 23, 2014, at 01:06 AM, Max Rottenkolber <max@mr.gy> wrote:

From what I understand about the bug (I have not seen the code) it sounds
like data length information
arrived both directly and indirectly in the client message and that a
conflict between them was not
scrutinized.

No. The bug was that the keep alive protocol in SSL mandates the server to
echo arbitrary data back to the client. The bounds checks were wrong too,
but at that stage it really doesn't matter. The design is just plain wrong.



_______________________________________________
pro mailing list
pro@common-lisp.net
http://common-lisp.net/cgi-bin/mailman/listinfo/pro


Dr. David McClain
dbm@refined-audiometrics.com