[openssl-dev] [openssl.org #3592] bug report. Crash. Critical? Security bug?

Вячеслав Бадалян via RT rt at openssl.org
Mon Dec 15 12:19:39 UTC 2014 

On vagrind we got this

==48882== Thread 40:
==48882== Invalid write of size 8
==48882==    at 0x4A0B4BC: memset (vg_replace_strmem.c:1094)
==48882==    by 0x34354DAB63: BUF_MEM_grow_clean (buffer.c:152)
==48882==    by 0x34354DC512: mem_write (bss_mem.c:189)
==48882==    by 0x34354DB746: BIO_write (bio_lib.c:247)
==48882==    by 0x34354DE870: buffer_ctrl (bf_buff.c:404)
==48882==    by 0x343583FA48: dtls1_do_write (d1_both.c:323)
==48882==    by 0x3435838DF6: dtls1_accept (d1_srvr.c:426)
==48882==    by 0x343583D85C: dtls1_read_bytes (d1_pkt.c:787)
==48882==    by 0x3435827ECF: ssl3_read_internal (s3_lib.c:4273)
==48882==    by 0x20CCFEF4: __rtp_recvfrom (res_rtp_asterisk.c:2019)
==48882==    by 0x20CD031E: rtp_recvfrom (res_rtp_asterisk.c:2094)
==48882==    by 0x20CD9620: ast_rtp_read (res_rtp_asterisk.c:4127)
==48882==    by 0x5529D2: ast_rtp_instance_read (rtp_engine.c:314)
==48882==    by 0x10B93838: sip_rtp_read (chan_sip.c:8198)
==48882==    by 0x10B93FE7: sip_read (chan_sip.c:8295)
==48882==  Address 0x570f138 is 2,120 bytes inside a block of size 2,392
free'd
==48882==    at 0x4A06BE4: free (vg_replace_malloc.c:473)
==48882==    by 0x343546AD62: CRYPTO_realloc_clean (mem.c:377)
==48882==    by 0x34354DAAE5: BUF_MEM_grow_clean (buffer.c:166)
==48882==    by 0x34354DC512: mem_write (bss_mem.c:189)
==48882==    by 0x34354DB746: BIO_write (bio_lib.c:247)
==48882==    by 0x34354DE870: buffer_ctrl (bf_buff.c:404)
==48882==    by 0x343583FA48: dtls1_do_write (d1_both.c:323)
==48882==    by 0x3435838DF6: dtls1_accept (d1_srvr.c:426)
==48882==    by 0x20CCE998: dtls_perform_handshake (res_rtp_asterisk.c:1584)
==48882==    by 0x20CCEA89: ast_rtp_on_ice_complete
(res_rtp_asterisk.c:1610)
==48882==    by 0x20CE0DAC: on_timer (in
/usr/lib/asterisk/modules/res_rtp_asterisk.so)
==48882==    by 0x20D0FB6D: pj_timer_heap_poll (in
/usr/lib/asterisk/modules/res_rtp_asterisk.so)
==48882==    by 0x20CCED58: timer_worker_thread (res_rtp_asterisk.c:1696)
==48882==    by 0x20D0109A: thread_main (in
/usr/lib/asterisk/modules/res_rtp_asterisk.so)
==48882==    by 0x37CA2079D0: start_thread (pthread_create.c:301)


2014-12-15 14:34 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>
> Hello. We got openssl assert on header len... sorry i can't send it to you
> becouse i delete screen log :(
>
> 2014-12-14 4:07 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>
>> We got openssl assert.
>> 13 дек. 2014 г. 17:49 пользователь "Вячеслав Бадалян" <
>> v.badalyan at open-bs.ru> написал:
>>
>> Thanks!
>>> I apply patch and run test robot. On monday will send to you results.
>>>
>>> 2014-12-12 19:13 GMT+03:00 Matt Caswell via RT <rt at openssl.org>:
>>>>
>>>> On Wed Dec 10 10:08:48 2014, v.badalyan at open-bs.ru wrote:
>>>> > Also valgrind output
>>>> >
>>>> > ==17767== Thread 37:
>>>> > ==17767== Source and
>>>> > destination overlap in memcpy(0x253bfcbd, 0x7e9c51b,
>>>> > 4294967209)
>>>> ^^^^^^^^^^^^ This is interesting. That equates to -87. I think there is
>>>> a
>>>> signed/unsigned conversion issue going on here.
>>>>
>>>> I have another patch. It is cummulative on the last one (i.e. apply the
>>>> first
>>>> one, and then apply this one on top). Keep your other change too
>>>> (although I
>>>> think that is an unrelated problem).
>>>>
>>>> Let me know how you get on.
>>>>
>>>> Matt
>>>>
>>>>
>>>
>>> --
>>> С уважением,
>>> Бадалян Вячеслав Борисович
>>>
>>> ООО "Открытые бизнес-решения"
>>> Технический директор
>>> +7 (495) 666-0-111
>>> http://www.open-bs.ru
>>>
>>
>
> --
> С уважением,
> Бадалян Вячеслав Борисович
>
> ООО "Открытые бизнес-решения"
> Технический директор
> +7 (495) 666-0-111
> http://www.open-bs.ru
>


-- 
С уважением,
Бадалян Вячеслав Борисович

ООО "Открытые бизнес-решения"
Технический директор
+7 (495) 666-0-111
http://www.open-bs.ru

More information about the openssl-dev mailing list