[openssl-dev] Suspicious crash in 1.0.2

Erik Forsberg erik at efca.com
Sat Feb 28 06:53:05 UTC 2015 

Hi.
I seem to have run into a really hard to pin down issue in
OpenSSL 1.0.2. Normally, it simply causes an EFAULT during
a write syscall, which makes me close the connection, but
to investigate, I added a core dump at that time. This is what I see

(dbx) where
current thread: t at 6
  [1] __lwp_sigqueue(0x6, 0x6, 0xffffc1c01c5fb7e0, 0xffffffff, 0x0, 0xffff80ffbf05cbb0), at 0xffff80ffbf27e70a 
  [2] thr_kill(), at 0xffff80ffbf272ec8 
  [3] raise(), at 0xffff80ffbf22291d 
  [4] abort(), at 0xffff80ffbf1f7ff2 
  [5] sock_write(b = 0x4f53d0, in = 0xc1e8 "<bad address 0x000000000000c1e8>", inl = 14060), line 156 in "bss_sock.c"
  [6] BIO_write(b = 0x4f53d0, in = 0xc1e8, inl = 14060), line 243 in "bio_lib.c"
=>[7] ssl3_write_pending(s = 0x9ab1d0, type = 23, buf = 0xcc2010 "HTTP/1.1 200 OK^M\nContent-Type: image/jpeg^M\nContent-Disposition: attachment; filename="photo.JPG"^M\nCache-Control: no-cache,private^M\nPragma: no-cache^M\nDate: Sat, 28 Feb 2015 03:55:43 GMT^M\nTransfer-Encoding: chunked^M\nContent-Encoding: gzip^M\n^M\n4000^M\n^_\x8b^H", len = 63488U), line 1091 in "s3_pkt.c"
  [8] ssl3_write_bytes(s = 0x9ab1d0, type = 23, buf_ = 0xcc2010, len = 65536), line 668 in "s3_pkt.c"
  [9] ssl3_write(s = 0x9ab1d0, buf = 0xcc2010, len = 65536), line 4400 in "s3_lib.c"
  [10] SSL_write(s = 0x9ab1d0, buf = 0xcc2010, num = 65536), line 1046 in "ssl_lib.c"
  [11] spr_tls_nonblock_write(so = 24, s = 0x9ab1d0, buffer = 0xcc2010, length = 129916, error = 0xffff80ffbf05cf2c), line 1351 in "spr_tls.c"
  [12] http_sender(con = 0xb06010), line 425 in "http.c"
  [13] wsd_worker(arg = 0xb06010), line 941 in "server.c"
  [14] worker_thread(arg = 0x523c10), line 382 in "spr_thrpool.c"
  [15] _thrp_setup(), at 0xffff80ffbf2751cd 
  [16] _lwp_start(), at 0xffff80ffbf275470 
(dbx) up
Current function is ssl3_write_bytes
  668           i = ssl3_write_pending(s, type, &buf[tot], s->s3->wpend_tot);
(dbx) p *wb
*wb = {
    buf    = (nil)
    len    = 63700U
    offset = 49640
    left   = 14060
}

The EFAULT error is clearly due to wb->buf == NULL.
As far as I can see, setting wb->buf to NULL is done in the
fairly new MULTIBLOCK code. What lead up to this is quite complex
but the following points seems relevant.

What my web server is trying to do, is sending a reasonable large image/jpeg
in response to a GET call. The entire image is sent in one large SSL_write() call
(in non-blocking mode) so I can see that first call to SS_write returns 0 bytes
written, WANT_WRITE error returned, when I retry the SSL_write call I get this error.

If I limit the size of each call to SSL_write() to 16KB, all works well.
It only fails when the browser is Firefox (NSS), works fine with IE 11.

Not sure if this behaviour was introduced by OpenSSL 1.0.2 or Firefox 35 (both
occured very close to each other).

My platform is Solaris 11.2, compiler SunStudio 12.4
configured like
perl Configure solaris64-x86_64-cc --prefix=/usr/local/ssl --openssldir=/usr/local/ssl --libdir=lib/amd64 enable-ssl-trace shared threads zl
ib-dynamic

nothing special there

any ideas how to further narrow down this ?

More information about the openssl-dev mailing list