[openssl-dev] [openssl.org #3592] bug report. Crash. Critical? Security bug?

Wed Dec 10 08:18:57 UTC 2014

Looks like need add some check to return code len....


2014-12-10 11:06 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:

> Sorry. Line 1244 is
>                 OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
>                         DTLS1_HM_HEADER_LENGTH == (unsigned
> int)s->init_num);
>
>
> 2014-12-10 11:05 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>
>> (gdb) p s->d1->w_msg_hdr.msg_len
>> $2 = 0
>> (gdb) p s->init_num
>> $3 = 0
>>
>>
>> 2014-12-10 10:59 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>
>>> Get again ASSERT in d1_both.c:1244
>>>
>>>                 OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
>>>
>>>  ((s->version==DTLS1_VERSION)?DTLS1_CCS_HEADER_LENGTH:3) == (unsigned
>>> int)s->init_num);
>>>                 }
>>>
>>>
>>>
>>>
>>>
>>> 2014-12-10 6:32 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>
>>>> Hello. I begin test you patch. I attach to mail patched version of you
>>>> patch wthat may clear added current SRPM of Centos 6
>>>>
>>>> 2014-12-03 5:16 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>>
>>>>> Thanks! I need time to test it... i will try answer at this week
>>>>>
>>>>> 2014-12-02 19:37 GMT+03:00 Matt Caswell via RT <rt at openssl.org>:
>>>>>
>>>>>> On Tue Dec 02 17:31:05 2014, v.badalyan at open-bs.ru wrote:
>>>>>> > if you send patch i can add it to SRPM build and try results
>>>>>> >
>>>>>> The patch is attached. However you may have problems with this
>>>>>> approach. I have
>>>>>> built the patch for 1.0.1e (which is the version you originally said
>>>>>> you were
>>>>>> running). However any additional patches that have been applied to
>>>>>> the SRPM
>>>>>> could cause the patch to fail to apply (and it is quite a large
>>>>>> patch). I can
>>>>>> also supply a patch against the latest 1.0.1j or OpenSSL_1_0_1-stable
>>>>>> from git
>>>>>> if you prefer.
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> С уважением,
>>>>> Бадалян Вячеслав Борисович
>>>>>
>>>>> ООО "Открытые бизнес-решения"
>>>>> Технический директор
>>>>> +7 (495) 666-0-111
>>>>> http://www.open-bs.ru
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> С уважением,
>>>> Бадалян Вячеслав Борисович
>>>>
>>>> ООО "Открытые бизнес-решения"
>>>> Технический директор
>>>> +7 (495) 666-0-111
>>>> http://www.open-bs.ru
>>>>
>>>
>>>
>>>
>>> --
>>> С уважением,
>>> Бадалян Вячеслав Борисович
>>>
>>> ООО "Открытые бизнес-решения"
>>> Технический директор
>>> +7 (495) 666-0-111
>>> http://www.open-bs.ru
>>>
>>
>>
>>
>> --
>> С уважением,
>> Бадалян Вячеслав Борисович
>>
>> ООО "Открытые бизнес-решения"
>> Технический директор
>> +7 (495) 666-0-111
>> http://www.open-bs.ru
>>
>
>
>
> --
> С уважением,
> Бадалян Вячеслав Борисович
>
> ООО "Открытые бизнес-решения"
> Технический директор
> +7 (495) 666-0-111
> http://www.open-bs.ru
>



-- 
С уважением,
Бадалян Вячеслав Борисович

ООО "Открытые бизнес-решения"
Технический директор
+7 (495) 666-0-111
http://www.open-bs.ru

-------------- next part --------------

--- a/ssl/d1_srvr.c`	2014-12-10 11:12:43.570309059 +0300
+++ b/ssl/d1_srvr.c	2014-12-10 11:13:53.418025227 +0300
@@ -1593,7 +1593,9 @@
 				}
 			}
 
-		l=dtls1_output_cert_chain(s,x);
+		if ((l=dtls1_output_cert_chain(s,x)) <= 0){
+			return -1;
+		}
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;
