Couple comments when looking at the ssl heartbeat error patch code:<p>http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3<p>+ if (1 + 2 + 16 > s->s3->rrec.length)
+ return 0; /* silently discard */<p>1) Instead of "silently discard", wouldn't be a better idea to log so the server/ops team can easily see where the attacks come from or to know the server is under attack.<p><pre><code> Maybe at lease as compile and/or config options.
</code></pre>
2) Such critical code fixed/checkin doesn't have any corresponding test coverage code.
Couple of comments on the openssl heartbeat fix. | Heykuki News