Discussion:
[openssl-dev] [openssl.org #4618] BUG: Crash in do_ssl3_write unless OPENSSL_NO_MULTIBLOCK
(too old to reply)
Dave Baggett via RT
2016-07-20 19:46:38 UTC
Permalink
OS: Mac OS X 11.11.5
Version: OpenSSL 1.1-pre6 (head code as of yesterday)
When the server fails under some circumstances, this line reads a bad address:
/* write the header */

*(outbuf[j]++) = type & 0xff;

Because outbuf is 3. This is because prior to the alignment code, outbuf is
NULL.
outbuf is set to s->rlayer->wbuf[0].buf, which at that point has been set to
NULL by the code guarded by
#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK

in ssl3_write_bytes.
I'm sorry I can't give you a simple reproducer; I was able to reproduce it by
mailing very large files with our mail app. Eventually the Exchange server
fails and downstream code resets the write buffer and the multiblock code sets
s->rlayer->wbuf[0].buf to NULL.
The workaround is to compile with -DOPENSSL_NO_MULTIBLOCK -- I've verified
that this eliminates the crash in practice.
Feel free to email me if you want me to put in to some test code and reproduce
it.
Dave
Sent with [inky](http://inky.com?kme=signature)
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618
Please log in as guest with password guest if prompted
Matt Caswell via RT
2016-07-25 09:41:19 UTC
Permalink
Post by Dave Baggett via RT
OS: Mac OS X 11.11.5
Version: OpenSSL 1.1-pre6 (head code as of yesterday)
When the server fails under some circumstances, this line reads a bad
/* write the header */
*(outbuf[j]++) = type & 0xff;
Because outbuf is 3. This is because prior to the alignment code,
outbuf is
NULL.
outbuf is set to s->rlayer->wbuf[0].buf, which at that point has been
set to
NULL by the code guarded by
#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
in ssl3_write_bytes.
I'm sorry I can't give you a simple reproducer; I was able to
reproduce it by
mailing very large files with our mail app. Eventually the Exchange
server
fails and downstream code resets the write buffer and the multiblock
code sets
s->rlayer->wbuf[0].buf to NULL.
The workaround is to compile with -DOPENSSL_NO_MULTIBLOCK -- I've
verified
that this eliminates the crash in practice.
Feel free to email me if you want me to put in to some test code and
reproduce
it.
Dave
Sent with [inky](http://inky.com?kme=signature)
Hi Dave

Please could you try the attached patch and see if that resolves the issue?

Thanks

Matt
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618
Please log in as guest with password guest if prompted
Dave Baggett via RT
2016-07-25 18:36:56 UTC
Permalink
Yes, that appears to fix it. Thanks!
Dave
Sent with [inky](http://inky.com?kme=signature)
Post by Matt Caswell via RT
Post by Dave Baggett via RT
OS: Mac OS X 11.11.5
Version: OpenSSL 1.1-pre6 (head code as of yesterday)
When the server fails under some circumstances, this line reads a bad
/* write the header */
*(outbuf[j]++) = type & 0xff;
Because outbuf is 3. This is because prior to the alignment code,
outbuf is
NULL.
outbuf is set to s->rlayer->wbuf[0].buf, which at that point has been
set to
NULL by the code guarded by
#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
in ssl3_write_bytes.
I'm sorry I can't give you a simple reproducer; I was able to
reproduce it by
mailing very large files with our mail app. Eventually the Exchange
server
fails and downstream code resets the write buffer and the multiblock
code sets
s->rlayer->wbuf[0].buf to NULL.
The workaround is to compile with -DOPENSSL_NO_MULTIBLOCK -- I've
verified
that this eliminates the crash in practice.
Feel free to email me if you want me to put in to some test code and
reproduce
it.
Dave
Sent with [inky](http://inky.com?kme=signature)
Hi Dave
Please could you try the attached patch and see if that resolves the issue?
Thanks
Matt
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618
Please log in as guest with password guest if prompted
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618
Please log in as guest with password guest if prompted
Loading...