[openssl-dev] [openssl.org #3592] bug report. Crash. Critical? Security bug?

Вячеслав Бадалян via RT rt at openssl.org
Wed Dec 10 09:08:48 UTC 2014 

Also valgrind output

==17767== Thread 37:
==17767== Source and destination overlap in memcpy(0x253bfcbd, 0x7e9c51b,
4294967209)
==17767==    at 0x4A09A48: memcpy (vg_replace_strmem.c:916)
==17767==    by 0x4E5A2B6: do_dtls1_write (d1_pkt.c:1592)
==17767==    by 0x4E5DA69: dtls1_do_write (d1_both.c:359)
==17767==    by 0x4E56DF6: dtls1_accept (d1_srvr.c:426)
==17767==    by 0x4E5B85C: dtls1_read_bytes (d1_pkt.c:787)
==17767==    by 0x4E45ECF: ssl3_read_internal (s3_lib.c:4273)
==17767==    by 0x215E3EF4: __rtp_recvfrom (res_rtp_asterisk.c:2019)
==17767==    by 0x215E431E: rtp_recvfrom (res_rtp_asterisk.c:2094)
==17767==    by 0x215ED620: ast_rtp_read (res_rtp_asterisk.c:4127)
==17767==    by 0x5529D2: ast_rtp_instance_read (rtp_engine.c:314)
==17767==    by 0x114A7838: sip_rtp_read (chan_sip.c:8198)
==17767==    by 0x114A7FE7: sip_read (chan_sip.c:8295)
==17767==    by 0x47D254: __ast_read (channel.c:4054)
==17767==    by 0x47EFFD: ast_read (channel.c:4408)
==17767==    by 0x476B8F: ast_safe_sleep_conditional (channel.c:1702)
==17767==
==17767== Invalid read of size 2
==17767==    at 0x4A09C4C: memcpy (vg_replace_strmem.c:916)
==17767==    by 0x4E5A2B6: do_dtls1_write (d1_pkt.c:1592)
==17767==    by 0x4E5DA69: dtls1_do_write (d1_both.c:359)
==17767==    by 0x4E56DF6: dtls1_accept (d1_srvr.c:426)
==17767==    by 0x4E5B85C: dtls1_read_bytes (d1_pkt.c:787)
==17767==    by 0x4E45ECF: ssl3_read_internal (s3_lib.c:4273)
==17767==    by 0x215E3EF4: __rtp_recvfrom (res_rtp_asterisk.c:2019)
==17767==    by 0x215E431E: rtp_recvfrom (res_rtp_asterisk.c:2094)
==17767==    by 0x215ED620: ast_rtp_read (res_rtp_asterisk.c:4127)
==17767==    by 0x5529D2: ast_rtp_instance_read (rtp_engine.c:314)
==17767==    by 0x114A7838: sip_rtp_read (chan_sip.c:8198)
==17767==    by 0x114A7FE7: sip_read (chan_sip.c:8295)
==17767==    by 0x47D254: __ast_read (channel.c:4054)
==17767==    by 0x47EFFD: ast_read (channel.c:4408)
==17767==    by 0x476B8F: ast_safe_sleep_conditional (channel.c:1702)
==17767==  Address 0x107e9c4c2 is not stack'd, malloc'd or (recently) free'd
==17767==
==17767==
==17767== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==17767==  Access not within mapped region at address 0x107E9C4C2
==17767==    at 0x4A09C4C: memcpy (vg_replace_strmem.c:916)
==17767==    by 0x4E5A2B6: do_dtls1_write (d1_pkt.c:1592)
==17767==    by 0x4E5DA69: dtls1_do_write (d1_both.c:359)
==17767==    by 0x4E56DF6: dtls1_accept (d1_srvr.c:426)
==17767==    by 0x4E5B85C: dtls1_read_bytes (d1_pkt.c:787)
==17767==    by 0x4E45ECF: ssl3_read_internal (s3_lib.c:4273)
==17767==    by 0x215E3EF4: __rtp_recvfrom (res_rtp_asterisk.c:2019)
==17767==    by 0x215E431E: rtp_recvfrom (res_rtp_asterisk.c:2094)
==17767==    by 0x215ED620: ast_rtp_read (res_rtp_asterisk.c:4127)
==17767==    by 0x5529D2: ast_rtp_instance_read (rtp_engine.c:314)
==17767==    by 0x114A7838: sip_rtp_read (chan_sip.c:8198)
==17767==    by 0x114A7FE7: sip_read (chan_sip.c:8295)
==17767==    by 0x47D254: __ast_read (channel.c:4054)
==17767==    by 0x47EFFD: ast_read (channel.c:4408)
==17767==    by 0x476B8F: ast_safe_sleep_conditional (channel.c:1702)


2014-12-10 11:38 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:

> After add check get crash
>
> 2014-12-10 11:18 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>
>> Looks like need add some check to return code len....
>>
>>
>> 2014-12-10 11:06 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>
>>> Sorry. Line 1244 is
>>>                 OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
>>>                         DTLS1_HM_HEADER_LENGTH == (unsigned
>>> int)s->init_num);
>>>
>>>
>>> 2014-12-10 11:05 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>
>>>> (gdb) p s->d1->w_msg_hdr.msg_len
>>>> $2 = 0
>>>> (gdb) p s->init_num
>>>> $3 = 0
>>>>
>>>>
>>>> 2014-12-10 10:59 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>>
>>>>> Get again ASSERT in d1_both.c:1244
>>>>>
>>>>>                 OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
>>>>>
>>>>>  ((s->version==DTLS1_VERSION)?DTLS1_CCS_HEADER_LENGTH:3) == (unsigned
>>>>> int)s->init_num);
>>>>>                 }
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2014-12-10 6:32 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>>>
>>>>>> Hello. I begin test you patch. I attach to mail patched version of
>>>>>> you patch wthat may clear added current SRPM of Centos 6
>>>>>>
>>>>>> 2014-12-03 5:16 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>>>>
>>>>>>> Thanks! I need time to test it... i will try answer at this week
>>>>>>>
>>>>>>> 2014-12-02 19:37 GMT+03:00 Matt Caswell via RT <rt at openssl.org>:
>>>>>>>
>>>>>>>> On Tue Dec 02 17:31:05 2014, v.badalyan at open-bs.ru wrote:
>>>>>>>> > if you send patch i can add it to SRPM build and try results
>>>>>>>> >
>>>>>>>> The patch is attached. However you may have problems with this
>>>>>>>> approach. I have
>>>>>>>> built the patch for 1.0.1e (which is the version you originally
>>>>>>>> said you were
>>>>>>>> running). However any additional patches that have been applied to
>>>>>>>> the SRPM
>>>>>>>> could cause the patch to fail to apply (and it is quite a large
>>>>>>>> patch). I can
>>>>>>>> also supply a patch against the latest 1.0.1j or
>>>>>>>> OpenSSL_1_0_1-stable from git
>>>>>>>> if you prefer.
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> С уважением,
>>>>>>> Бадалян Вячеслав Борисович
>>>>>>>
>>>>>>> ООО "Открытые бизнес-решения"
>>>>>>> Технический директор
>>>>>>> +7 (495) 666-0-111
>>>>>>> http://www.open-bs.ru
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> С уважением,
>>>>>> Бадалян Вячеслав Борисович
>>>>>>
>>>>>> ООО "Открытые бизнес-решения"
>>>>>> Технический директор
>>>>>> +7 (495) 666-0-111
>>>>>> http://www.open-bs.ru
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> С уважением,
>>>>> Бадалян Вячеслав Борисович
>>>>>
>>>>> ООО "Открытые бизнес-решения"
>>>>> Технический директор
>>>>> +7 (495) 666-0-111
>>>>> http://www.open-bs.ru
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> С уважением,
>>>> Бадалян Вячеслав Борисович
>>>>
>>>> ООО "Открытые бизнес-решения"
>>>> Технический директор
>>>> +7 (495) 666-0-111
>>>> http://www.open-bs.ru
>>>>
>>>
>>>
>>>
>>> --
>>> С уважением,
>>> Бадалян Вячеслав Борисович
>>>
>>> ООО "Открытые бизнес-решения"
>>> Технический директор
>>> +7 (495) 666-0-111
>>> http://www.open-bs.ru
>>>
>>
>>
>>
>> --
>> С уважением,
>> Бадалян Вячеслав Борисович
>>
>> ООО "Открытые бизнес-решения"
>> Технический директор
>> +7 (495) 666-0-111
>> http://www.open-bs.ru
>>
>
>
>
> --
> С уважением,
> Бадалян Вячеслав Борисович
>
> ООО "Открытые бизнес-решения"
> Технический директор
> +7 (495) 666-0-111
> http://www.open-bs.ru
>



-- 
С уважением,
Бадалян Вячеслав Борисович

ООО "Открытые бизнес-решения"
Технический директор
+7 (495) 666-0-111
http://www.open-bs.ru

More information about the openssl-dev mailing list