[openssl-dev] [openssl.org #3592] bug report. Crash. Critical? Security bug?

Вячеслав Бадалян via RT rt at openssl.org
Mon Dec 15 12:39:43 UTC 2014 

Got assert
d1_both.c(296): OpenSSL internal error, assertion failed: s->init_num ==
(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH


2014-12-15 15:19 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>
> On vagrind we got this
>
> ==48882== Thread 40:
> ==48882== Invalid write of size 8
> ==48882==    at 0x4A0B4BC: memset (vg_replace_strmem.c:1094)
> ==48882==    by 0x34354DAB63: BUF_MEM_grow_clean (buffer.c:152)
> ==48882==    by 0x34354DC512: mem_write (bss_mem.c:189)
> ==48882==    by 0x34354DB746: BIO_write (bio_lib.c:247)
> ==48882==    by 0x34354DE870: buffer_ctrl (bf_buff.c:404)
> ==48882==    by 0x343583FA48: dtls1_do_write (d1_both.c:323)
> ==48882==    by 0x3435838DF6: dtls1_accept (d1_srvr.c:426)
> ==48882==    by 0x343583D85C: dtls1_read_bytes (d1_pkt.c:787)
> ==48882==    by 0x3435827ECF: ssl3_read_internal (s3_lib.c:4273)
> ==48882==    by 0x20CCFEF4: __rtp_recvfrom (res_rtp_asterisk.c:2019)
> ==48882==    by 0x20CD031E: rtp_recvfrom (res_rtp_asterisk.c:2094)
> ==48882==    by 0x20CD9620: ast_rtp_read (res_rtp_asterisk.c:4127)
> ==48882==    by 0x5529D2: ast_rtp_instance_read (rtp_engine.c:314)
> ==48882==    by 0x10B93838: sip_rtp_read (chan_sip.c:8198)
> ==48882==    by 0x10B93FE7: sip_read (chan_sip.c:8295)
> ==48882==  Address 0x570f138 is 2,120 bytes inside a block of size 2,392
> free'd
> ==48882==    at 0x4A06BE4: free (vg_replace_malloc.c:473)
> ==48882==    by 0x343546AD62: CRYPTO_realloc_clean (mem.c:377)
> ==48882==    by 0x34354DAAE5: BUF_MEM_grow_clean (buffer.c:166)
> ==48882==    by 0x34354DC512: mem_write (bss_mem.c:189)
> ==48882==    by 0x34354DB746: BIO_write (bio_lib.c:247)
> ==48882==    by 0x34354DE870: buffer_ctrl (bf_buff.c:404)
> ==48882==    by 0x343583FA48: dtls1_do_write (d1_both.c:323)
> ==48882==    by 0x3435838DF6: dtls1_accept (d1_srvr.c:426)
> ==48882==    by 0x20CCE998: dtls_perform_handshake
> (res_rtp_asterisk.c:1584)
> ==48882==    by 0x20CCEA89: ast_rtp_on_ice_complete
> (res_rtp_asterisk.c:1610)
> ==48882==    by 0x20CE0DAC: on_timer (in
> /usr/lib/asterisk/modules/res_rtp_asterisk.so)
> ==48882==    by 0x20D0FB6D: pj_timer_heap_poll (in
> /usr/lib/asterisk/modules/res_rtp_asterisk.so)
> ==48882==    by 0x20CCED58: timer_worker_thread (res_rtp_asterisk.c:1696)
> ==48882==    by 0x20D0109A: thread_main (in
> /usr/lib/asterisk/modules/res_rtp_asterisk.so)
> ==48882==    by 0x37CA2079D0: start_thread (pthread_create.c:301)
>
>
> 2014-12-15 14:34 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>
>> Hello. We got openssl assert on header len... sorry i can't send it to
>> you becouse i delete screen log :(
>>
>> 2014-12-14 4:07 GMT+03:00 Вячеслав Бадалян <v.badalyan at open-bs.ru>:
>>>
>>> We got openssl assert.
>>> 13 дек. 2014 г. 17:49 пользователь "Вячеслав Бадалян" <
>>> v.badalyan at open-bs.ru> написал:
>>>
>>> Thanks!
>>>> I apply patch and run test robot. On monday will send to you results.
>>>>
>>>> 2014-12-12 19:13 GMT+03:00 Matt Caswell via RT <rt at openssl.org>:
>>>>>
>>>>> On Wed Dec 10 10:08:48 2014, v.badalyan at open-bs.ru wrote:
>>>>> > Also valgrind output
>>>>> >
>>>>> > ==17767== Thread 37:
>>>>> > ==17767== Source and
>>>>> > destination overlap in memcpy(0x253bfcbd, 0x7e9c51b,
>>>>> > 4294967209)
>>>>> ^^^^^^^^^^^^ This is interesting. That equates to -87. I think there
>>>>> is a
>>>>> signed/unsigned conversion issue going on here.
>>>>>
>>>>> I have another patch. It is cummulative on the last one (i.e. apply
>>>>> the first
>>>>> one, and then apply this one on top). Keep your other change too
>>>>> (although I
>>>>> think that is an unrelated problem).
>>>>>
>>>>> Let me know how you get on.
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>
>>>> --
>>>> С уважением,
>>>> Бадалян Вячеслав Борисович
>>>>
>>>> ООО "Открытые бизнес-решения"
>>>> Технический директор
>>>> +7 (495) 666-0-111
>>>> http://www.open-bs.ru
>>>>
>>>
>>
>> --
>> С уважением,
>> Бадалян Вячеслав Борисович
>>
>> ООО "Открытые бизнес-решения"
>> Технический директор
>> +7 (495) 666-0-111
>> http://www.open-bs.ru
>>
>
>
> --
> С уважением,
> Бадалян Вячеслав Борисович
>
> ООО "Открытые бизнес-решения"
> Технический директор
> +7 (495) 666-0-111
> http://www.open-bs.ru
>


-- 
С уважением,
Бадалян Вячеслав Борисович

ООО "Открытые бизнес-решения"
Технический директор
+7 (495) 666-0-111
http://www.open-bs.ru

More information about the openssl-dev mailing list