Wasn't heartbleed a fairly typical buffer overflow?

swixmix · on April 23, 2020

the typical buffer overflow would have been caught by OpenBSD's protective malloc.

> [...] OpenSSL adds a wrapper around malloc & free so that the library will cache memory on it's own, and not free it to the protective malloc. [...] So then a bug shows up which leaks the content of memory mishandled by that layer. [...]

https://marc.info/?l=openbsd-misc&m=139698608410938&w=2

sgillen · on April 23, 2020

I don’t think the vulnerability was in malloced memory, it was some buffer on the stack. I’ve actually patched OpenSSL to stop heart bleed as an excersice and iirc the fix was in fact just preventing a typical buffer overflow.

selestify · on April 23, 2020

Seems like that commenter is also saying that it would’ve been caught as a regular buffer overflow bug?

> OpenSSL is not developed by a responsible team.

enchiridion · on April 23, 2020

I've always thought of buffer overflow as writing beyond the intended bounds of the buffer.

Heartbleed is reading beyond the intended bounds remotely. I don't think there were similar attacks before hand, but I could be wrong. I only have a base level knowledge here.

saagarjha · on April 23, 2020

Infoleaks are nothing new.