[openssl-dev] [openssl.org #4236] SSL_connect() crash with CRL

Daniel Stenberg via RT rt at openssl.org
Thu Jan 14 17:08:13 UTC 2016


Hey

I've had this crash for a while with current openssl git master. It is 
perfectly reproducable using curl test 313 and I have an openssl build here 
with debug symbols so I can provide more info to help someone diagnose this, 
just let me know.

The test case works fine with all previously released OpenSSL versions I've 
tried it with.

Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffd158 in ?? ()
(gdb) bt
#0  0x00007fffffffd158 in ?? ()
#1  0x00000000005804ca in check_cert (ctx=0x7fffffffd010) at x509_vfy.c:708
#2  0x00000000005803d5 in check_revocation (ctx=0x7fffffffd010)
     at x509_vfy.c:685
#3  0x000000000057f3bc in verify_chain (ctx=0x7fffffffd010) at x509_vfy.c:209
#4  0x000000000057f643 in X509_verify_cert (ctx=0x7fffffffd010)
     at x509_vfy.c:278
#5  0x00000000004c5c32 in ssl_verify_cert_chain (s=0x9ff630, sk=0xa0cb50)
     at ssl_cert.c:532
#6  0x00000000004df0b7 in tls_process_server_certificate (s=0x9ff630,
     pkt=0x7fffffffd1f0) at statem/statem_clnt.c:1332
#7  0x00000000004dde03 in ossl_statem_client_process_message (s=0x9ff630,
     pkt=0x7fffffffd1f0) at statem/statem_clnt.c:739
#8  0x00000000004d57b8 in read_state_machine (s=0x9ff630)
     at statem/statem.c:610
#9  0x00000000004d538f in state_machine (s=0x9ff630, server=0)
     at statem/statem.c:430
#10 0x00000000004d4e4c in ossl_statem_connect (s=0x9ff630)
     at statem/statem.c:218
#11 0x00000000004c2e01 in SSL_do_handshake (s=0x9ff630) at ssl_lib.c:2926
#12 0x00000000004c007c in SSL_connect (s=0x9ff630) at ssl_lib.c:1419
#13 0x0000000000487d28 in ossl_connect_step2 (conn=0x9fc938, sockindex=0)
     at vtls/openssl.c:2084
#14 0x0000000000489b73 in ossl_connect_common (conn=0x9fc938, sockindex=0,
     nonblocking=true, done=0x7fffffffd63c) at vtls/openssl.c:2813
#15 0x0000000000489ca4 in Curl_ossl_connect_nonblocking (conn=0x9fc938,
     sockindex=0, done=0x7fffffffd63c) at vtls/openssl.c:2847

[snipped off more layers of libcurl code that isn't relevant here]

(gdb) fr 1
#1  0x00000000005804ca in check_cert (ctx=0x7fffffffd010) at x509_vfy.c:708
708                 ok = ctx->get_crl(ctx, &crl, x);
(gdb) p ctx
$1 = (X509_STORE_CTX *) 0x7fffffffd010
(gdb) p crl
$2 = (X509_CRL *) 0x0
(gdb) p x
$3 = (X509 *) 0xa0cbb0
(gdb) p ctx->get_crl
$5 = (int (*)(X509_STORE_CTX *, X509_CRL **, X509 *)) 0x7fffffffd158

This looks like it points to illegal memory?

-- 

  / daniel.haxx.se

_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod



More information about the openssl-dev mailing list