There are eight CVE-numbered bug fixes in all, and you probably won’t be surprised to hear that seven of these were caused by memory mismanagement.
Like OpenSSH, which we wrote about at the end of last week, OpenSSL is written in C, and taking care of memory allocation and deallocation in C programs typically involves a lot of “Do it yourself”.
Because the bogus memory address doesn’t actually exist, this sort of bug generally doesn’t corrupt anything – it’s like trying to defraud someone by mailing out a fake summons or a false invoice to a property that isn’t there.
As with a use-after-free, this can result in two parts of the program trusting the same block of memory, with each part being unware that the data it expects to be present might have been malevolently switched out by the other part.
As the OpenSSL team admits, in respect of the High severity type confusion bug above, “When certificate revocation list checking is enabled, this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp() call, enabling them to read memory contents”.
In cryptography, you have to ensure that all related tasks, such as looking up data in memory, comparing text strings, performing arithmetic, and so on, take the same amount of time, even if that means slowing down the “Easy” cases instead of trying to save time by doing everything as quickly as possible.