Dave Baggett via RT
2016-07-20 19:46:38 UTC
OS: Mac OS X 11.11.5
Version: OpenSSL 1.1-pre6 (head code as of yesterday)
When the server fails under some circumstances, this line reads a bad address:
/* write the header */
*(outbuf[j]++) = type & 0xff;
Because outbuf is 3. This is because prior to the alignment code, outbuf is
NULL.
outbuf is set to s->rlayer->wbuf[0].buf, which at that point has been set to
NULL by the code guarded by
#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
in ssl3_write_bytes.
I'm sorry I can't give you a simple reproducer; I was able to reproduce it by
mailing very large files with our mail app. Eventually the Exchange server
fails and downstream code resets the write buffer and the multiblock code sets
s->rlayer->wbuf[0].buf to NULL.
The workaround is to compile with -DOPENSSL_NO_MULTIBLOCK -- I've verified
that this eliminates the crash in practice.
Feel free to email me if you want me to put in to some test code and reproduce
it.
Dave
Sent with [inky](http://inky.com?kme=signature)
Version: OpenSSL 1.1-pre6 (head code as of yesterday)
When the server fails under some circumstances, this line reads a bad address:
/* write the header */
*(outbuf[j]++) = type & 0xff;
Because outbuf is 3. This is because prior to the alignment code, outbuf is
NULL.
outbuf is set to s->rlayer->wbuf[0].buf, which at that point has been set to
NULL by the code guarded by
#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
in ssl3_write_bytes.
I'm sorry I can't give you a simple reproducer; I was able to reproduce it by
mailing very large files with our mail app. Eventually the Exchange server
fails and downstream code resets the write buffer and the multiblock code sets
s->rlayer->wbuf[0].buf to NULL.
The workaround is to compile with -DOPENSSL_NO_MULTIBLOCK -- I've verified
that this eliminates the crash in practice.
Feel free to email me if you want me to put in to some test code and reproduce
it.
Dave
Sent with [inky](http://inky.com?kme=signature)
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618
Please log in as guest with password guest if prompted
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618
Please log in as guest with password guest if prompted