[openssl-dev] [openssl.org #3592] bug report. Crash. Critical? Security bug?
Вячеслав Бадалян via RT
rt at openssl.org
Wed Dec 10 08:38:58 UTC 2014
After add check get crash
2014-12-10 11:18 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
> Looks like need add some check to return code len....
>
>
> 2014-12-10 11:06 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>
>> Sorry. Line 1244 is
>> OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
>> DTLS1_HM_HEADER_LENGTH == (unsigned
>> int)s->init_num);
>>
>>
>> 2014-12-10 11:05 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>
>>> (gdb) p s->d1->w_msg_hdr.msg_len
>>> $2 = 0
>>> (gdb) p s->init_num
>>> $3 = 0
>>>
>>>
>>> 2014-12-10 10:59 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>
>>>> Get again ASSERT in d1_both.c:1244
>>>>
>>>> OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
>>>>
>>>> ((s->version==DTLS1_VERSION)?DTLS1_CCS_HEADER_LENGTH:3) == (unsigned
>>>> int)s->init_num);
>>>> }
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2014-12-10 6:32 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>>
>>>>> Hello. I begin test you patch. I attach to mail patched version of you
>>>>> patch wthat may clear added current SRPM of Centos 6
>>>>>
>>>>> 2014-12-03 5:16 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>>>
>>>>>> Thanks! I need time to test it... i will try answer at this week
>>>>>>
>>>>>> 2014-12-02 19:37 GMT+03:00 Matt Caswell via RT <rt at openssl.org>:
>>>>>>
>>>>>>> On Tue Dec 02 17:31:05 2014, v.badalyan at open-bs.ru wrote:
>>>>>>> > if you send patch i can add it to SRPM build and try results
>>>>>>> >
>>>>>>> The patch is attached. However you may have problems with this
>>>>>>> approach. I have
>>>>>>> built the patch for 1.0.1e (which is the version you originally said
>>>>>>> you were
>>>>>>> running). However any additional patches that have been applied to
>>>>>>> the SRPM
>>>>>>> could cause the patch to fail to apply (and it is quite a large
>>>>>>> patch). I can
>>>>>>> also supply a patch against the latest 1.0.1j or
>>>>>>> OpenSSL_1_0_1-stable from git
>>>>>>> if you prefer.
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> С уважением,
>>>>>> Бадалян Вячеслав Борисович
>>>>>>
>>>>>> ООО "Открытые бизнес-решения"
>>>>>> Технический директор
>>>>>> +7 (495) 666-0-111
>>>>>> http://www.open-bs.ru
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> С уважением,
>>>>> Бадалян Вячеслав Борисович
>>>>>
>>>>> ООО "Открытые бизнес-решения"
>>>>> Технический директор
>>>>> +7 (495) 666-0-111
>>>>> http://www.open-bs.ru
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> С уважением,
>>>> Бадалян Вячеслав Борисович
>>>>
>>>> ООО "Открытые бизнес-решения"
>>>> Технический директор
>>>> +7 (495) 666-0-111
>>>> http://www.open-bs.ru
>>>>
>>>
>>>
>>>
>>> --
>>> С уважением,
>>> Бадалян Вячеслав Борисович
>>>
>>> ООО "Открытые бизнес-решения"
>>> Технический директор
>>> +7 (495) 666-0-111
>>> http://www.open-bs.ru
>>>
>>
>>
>>
>> --
>> С уважением,
>> Бадалян Вячеслав Борисович
>>
>> ООО "Открытые бизнес-решения"
>> Технический директор
>> +7 (495) 666-0-111
>> http://www.open-bs.ru
>>
>
>
>
> --
> С уважением,
> Бадалян Вячеслав Борисович
>
> ООО "Открытые бизнес-решения"
> Технический директор
> +7 (495) 666-0-111
> http://www.open-bs.ru
>
--
С уважением,
Бадалян Вячеслав Борисович
ООО "Открытые бизнес-решения"
Технический директор
+7 (495) 666-0-111
http://www.open-bs.ru
-------------- next part --------------
#0 _int_malloc (av=0x7fff4c000020, bytes=<value optimized out>) at malloc.c:4476
iters = <value optimized out>
nb = 6496
idx = 103
bin = <value optimized out>
victim = 0x7fff4c007d70
size = 8016
victim_index = <value optimized out>
remainder = <value optimized out>
remainder_size = <value optimized out>
block = <value optimized out>
bit = <value optimized out>
map = <value optimized out>
fwd = <value optimized out>
bck = 0x0
errstr = 0x0
#1 0x00000037c9e7a6b1 in __libc_malloc (bytes=6488) at malloc.c:3664
ar_ptr = 0x7fff4c000020
victim = <value optimized out>
hook = <value optimized out>
#2 0x00007ffff780bd36 in CRYPTO_realloc_clean (str=0x7fff4c026ca0, old_len=4780, num=6488, file=0x7ffff7912c9b "buffer.c", line=166) at mem.c:372
ret = 0x0
#3 0x00007ffff787bae6 in BUF_MEM_grow_clean (str=0x7fff3c034870, len=4864) at buffer.c:166
ret = <value optimized out>
n = 6488
#4 0x00007ffff787d513 in mem_write (b=<value optimized out>, in=0x7fff4c0231b0 "\026\376\377", inl=256) at bss_mem.c:189
ret = -1
blen = 4608
bm = 0x7fff3c034870
#5 0x00007ffff787c747 in BIO_write (b=0x7fff3c033a60, in=0x7fff4c0231b0, inl=256) at bio_lib.c:247
i = <value optimized out>
cb = 0
#6 0x00007ffff787f871 in buffer_ctrl (b=0x7fff4c012fd0, cmd=<value optimized out>, num=0, ptr=0x0) at bf_buff.c:404
dbio = <value optimized out>
ctx = 0x7fff4c018a70
ret = 1
p1 = <value optimized out>
p2 = <value optimized out>
r = <value optimized out>
i = <value optimized out>
ip = <value optimized out>
ibs = <value optimized out>
obs = <value optimized out>
#7 0x00007ffff7bc2b0d in dtls1_do_write (s=0x7fff3c0335f0, type=22) at d1_both.c:318
ret = <value optimized out>
curr_mtu = -13
retry = 1
len = <value optimized out>
frag_off = 3816
mac_size = 0
blocksize = 0
#8 0x00007ffff7bbbdf7 in dtls1_accept (s=0x7fff3c0335f0) at d1_srvr.c:426
buf = <value optimized out>
Time = 1418200173
cb = 0
alg_k = <value optimized out>
ret = <value optimized out>
new_state = <value optimized out>
state = 8512
skip = 0
listen = 0
#9 0x00007ffff7bc085d in dtls1_read_bytes (s=0x7fff3c0335f0, type=23, buf=0x7fff3c0060f8 "\026\376\377", len=121, peek=0) at d1_pkt.c:787
al = <value optimized out>
i = <value optimized out>
j = <value optimized out>
ret = <value optimized out>
n = <value optimized out>
rr = <value optimized out>
cb = 0
#10 0x00007ffff7baaed0 in ssl3_read_internal (s=0x7fff3c0335f0, buf=0x7fff3c0060f8, len=121, peek=0) at s3_lib.c:4273
ret = <value optimized out>
#11 0x00007fffa25fbef5 in __rtp_recvfrom (instance=0x7fff3c015348, buf=0x7fff3c0060f8, size=8192, flags=0, sa=0x7fff9ada69d0, rtcp=0) at res_rtp_asterisk.c:2019
dtls = 0x7fff3c008ce0
res = 0
len = 121
rtp = 0x7fff3c005f40
srtp = 0x0
in = 0x7fff3c0060f8 "\026\376\377"
loop = 0x7fff3c0085e8
__PRETTY_FUNCTION__ = "__rtp_recvfrom"
#12 0x00007fffa25fc31f in rtp_recvfrom (instance=0x7fff3c015348, buf=0x7fff3c0060f8, size=8192, flags=0, sa=0x7fff9ada69d0) at res_rtp_asterisk.c:2094
No locals.
#13 0x00007fffa2605621 in ast_rtp_read (instance=0x7fff3c015348, rtcp=0) at res_rtp_asterisk.c:4127
rtp = 0x7fff3c005f40
addr = {ss = {ss_family = 2, __ss_align = 0,
__ss_padding = "\b\243\001L\377\177\000\000R\367\346\311\067\000\000\000\001\200\255\373\377\177\000\000\b\243\001L\377\177\000\000\b\243\001L\377\177\000\000\b\243\001L\377\177\000\000\b\243\001L\377\177\000\000\020\243\001L\377\177\000\000\a\244\001L\377\177\000\000\b\243\001L\377\177\000\000\a\244\001L\377\177", '\000' <repeats 25 times>}, len = 16}
res = 0
hdrlen = 12
version = 32767
payloadtype = 0
padding = 0
mark = 1275080150
ext = 32767
cc = 1275080150
prev_seqno = 32767
rtpheader = 0x7fff3c0060f8
seqno = 0
ssrc = 33
timestamp = 29
payload = {asterisk_format = 6, format = {id = 0, fattr = {format_attr = {1275100224, 32767, 1275100229, 32767, 6567044, 0, 2598004992, 4294967295, 5775753, 19, 1006650992, 78, 78, 77, 9665472, 0, 5262095, 0, 1275083272, 32767,
9381552, 0, 6717365, 0, 6718801, 0, 6717397, 1589, 6714548, 0, 16, 1587, 6714548, 0, 2598005744, 32767, 5281951, 0, 1548, 32767, 6718801, 0, 1418200173, 0, 92029, 0, 24, 48, 2598006224, 32767, 6715567, 0, 1006651024,
32767, 4094289024, 32767, 4094283063, 474, 4094284180, 32767, 2598005232, 5, 875638834, 758264109}, rtp_marker_bit = 49 '1'}}, rtp_code = 959593009, payload = 3355450}
remote_address = {ss = {ss_family = 0, __ss_align = 0, __ss_padding = '\000' <repeats 111 times>}, len = 0}
frames = {first = 0x1039500, last = 0x5983a5}
__PRETTY_FUNCTION__ = "ast_rtp_read"
#14 0x00000000005529d3 in ast_rtp_instance_read (instance=0x7fff3c015348, rtcp=0) at rtp_engine.c:314
No locals.
#15 0x00007fffb26d6839 in sip_rtp_read (ast=0x7fff3c0373b8, p=0x7fff3c00bef8, faxdetect=0x7fff9ada6c64) at chan_sip.c:8198
f = 0x7fff3c00bea0
__PRETTY_FUNCTION__ = "sip_rtp_read"
#16 0x00007fffb26d6fe8 in sip_read (ast=0x7fff3c0373b8) at chan_sip.c:8295
fr = 0x498779
p = 0x7fff3c00bef8
faxdetected = 0
__PRETTY_FUNCTION__ = "sip_read"
#17 0x000000000047d255 in __ast_read (chan=0x7fff3c0373b8, dropaudio=0) at channel.c:4054
f = 0x0
prestate = 6
cause = 0
__PRETTY_FUNCTION__ = "__ast_read"
#18 0x000000000047effe in ast_read (chan=0x7fff3c0373b8) at channel.c:4408
No locals.
#19 0x0000000000476b90 in ast_safe_sleep_conditional (chan=0x7fff3c0373b8, timeout_ms=5000, cond=0, data=0x0) at channel.c:1702
dup_f = 0x0
f = 0x8f0fe0
silgen = 0x0
res = 0
start = {tv_sec = 1418200173, tv_usec = 92058}
ms = 5000
deferred_frames = {first = 0x0, last = 0x0}
__PRETTY_FUNCTION__ = "ast_safe_sleep_conditional"
#20 0x0000000000476dc0 in ast_safe_sleep (chan=0x7fff3c0373b8, ms=5000) at channel.c:1746
No locals.
#21 0x00007ffff40986c2 in play_moh_exec (chan=0x7fff3c0373b8, data=0x7fff9ada9490 ",5") at res_musiconhold.c:801
parse = 0x7fff9ada7220 ""
class = 0x0
timeout = 5000
res = 0
args = {argc = 2, argv = 0x7fff9ada7250, class = 0x7fff9ada7220 "", duration = 0x7fff9ada7221 "5"}
__PRETTY_FUNCTION__ = "play_moh_exec"
#22 0x000000000052c661 in pbx_exec (c=0x7fff3c0373b8, app=0x10394a0, data=0x7fff9ada9490 ",5") at pbx.c:1622
res = 36
u = 0x7fff4c01a1b0
saved_c_appl = 0x0
saved_c_data = 0x0
__PRETTY_FUNCTION__ = "pbx_exec"
#23 0x0000000000537108 in pbx_extension_helper (c=0x7fff3c0373b8, con=0x0, context=0x7fff3c038208 "from-internal", exten=0x7fff3c038258 "766", priority=2, label=0x0, callerid=0x7fff3c034090 "74996051913", action=E_SPAWN,
found=0x7fff9adabb70, combined_find_spawn=1) at pbx.c:4915
e = 0xf66c60
app = 0x10394a0
substitute = 0x0
res = 1006858600
q = {incstack = {0xfb6f80 "from-internal", 0xfb7fa0 "from-internal-noxfer", 0xfa58e0 "from-internal-noxfer-additional", 0xfe5880 "from-internal-xfer", 0xfd7780 "from-internal-additional", 0x0 <repeats 123 times>}, stacklen = 5,
status = 5, swo = 0x0, data = 0x0, foundcontext = 0xfd78d0 "from-internal-additional-custom"}
passdata = ",5\000\232\377\177\000\000\360\226ښ\377\177\000\000\000\000\000\000\377\177\000\000\376\226ښ\377\177\000\000\377\377\377\377\000\000\000\000\220\225ښ\377\177\000\000\377\377\377\377\377\377\377\377\000\232ښ\377\177\000\000\000\000\000\000\000\000\000\000`\226ښ\377\177\000\000\037\000\000\000\000\000\000\000x\231ښ\377\177\000\000\060\236ښ\000\000\000\000 \367\346\311\067\000\000\000\001\200\255\373\377\177\000\000\060\236ښ\377\177\000\000\060\236ښ\000\000\000\000\257\t\000\000\000\000\000\000\000\000\000\000\377\177\000\000\061\236ښ\377\177\000\000\000\000\000\000\377\177\000\000\000\000\000\000\001\000\000\000O\236ښ\377\177\000\000\377\377\377\377", '\000' <repeats 12 times>, "x\231ښ\377\177\000\000s", '\000' <repeats 15 times>"\302, \352f\000\000\000\000\000\360\226ښ", '\000' <repeats 16 times>, "\v\000\000\000\001\004\000\000\000\000\000\000\270\362\344\311\067\000\000\000\060\000\000\000\060", '\000' <repeats 11 times>"\300, \225ښ\377"...
matching_action = 0
__PRETTY_FUNCTION__ = "pbx_extension_helper"
#24 0x000000000053a5a3 in ast_spawn_extension (c=0x7fff3c0373b8, context=0x7fff3c038208 "from-internal", exten=0x7fff3c038258 "766", priority=2, callerid=0x7fff3c034090 "74996051913", found=0x7fff9adabb70, combined_find_spawn=1)
at pbx.c:6037
No locals.
#25 0x000000000053bd40 in __ast_pbx_run (c=0x7fff3c0373b8, args=0x0) at pbx.c:6512
digit = 0
invalid = 0
timeout = 0
dst_exten = "\000\377\377\377\377\377\377\377\001", '\000' <repeats 31 times>, "@\001\000\000\000\000\000\000\a", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000x{ \312\067", '\000' <repeats 11 times>"\370, \377\377\377\377\377\377\377\001\000\000\000\000\000\000\000\020\000\000\000\000\000\000\000\033\377\001", '\000' <repeats 13 times>, " \275ښ\377\177\000\000лښ\377\177\000\000\020\275ښ\377\177\000\000p\315ښ\377\177\000\000\340\272ښ\377\177\000\000\320\336 \312\067\000\000\000\003\000\000\000\000\000\000\000\264\062\243\232\377\177\000\000ؼښ\377\177\000\000\340\274ښ\377\177\000\000\000\000\000\000\000\000\000\000\350\274ښ\377\177", '\000' <repeats 18 times>"\360, \275ښ\377\177\000\000\000\000\000\000\000\000\000"
pos = 0
found = 1
res = 0
autoloopflag = 0
error = 0
pbx = 0x7fff4c01c3a0
callid = 0x0
__PRETTY_FUNCTION__ = "__ast_pbx_run"
#26 0x000000000053d81d in pbx_thread (data=0x7fff3c0373b8) at pbx.c:6842
c = 0x7fff3c0373b8
#27 0x0000000000599ddc in dummy_start (data=0x7fff3c01b080) at utils.c:1192
__cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {140735791417088, -9220635199591366855, 140735787189888, 140735791417792, 0, 3, -9220635199582978247, 9220711381188919097}, __mask_was_saved = 0}}, __pad = {
0x7fff9adabe90, 0x0, 0x7fff9adaca10, 0x0}}
__cancel_routine = 0x441124 <ast_unregister_thread>
__cancel_arg = 0x7fff9adac700
not_first_call = 0
ret = 0x37ca18a850
a = {start_routine = 0x53d7f8 <pbx_thread>, data = 0x7fff3c0373b8, name = 0x7fff3c03a740 "pbx_thread", ' ' <repeats 11 times>, "started at [ 6868] pbx.c ast_pbx_start()"}
#28 0x00000037ca2079d1 in start_thread (arg=0x7fff9adac700) at pthread_create.c:301
__res = <value optimized out>
pd = 0x7fff9adac700
now = <value optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140735791417088, 9220711866970718009, 140735787189888, 140735791417792, 0, 3, -9220635199622824135, 9194407422128865081}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
pagesize_m1 = <value optimized out>
sp = <value optimized out>
freesize = <value optimized out>
#29 0x00000037c9ee89dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
No locals.
More information about the openssl-dev
mailing list