[openssl-dev] [openssl.org #4618] BUG: Crash in do_ssl3_write unless OPENSSL_NO_MULTIBLOCK
Dave Baggett via RT
rt at openssl.org
Wed Jul 20 19:46:38 UTC 2016
OS: Mac OS X 11.11.5
Version: OpenSSL 1.1-pre6 (head code as of yesterday)
When the server fails under some circumstances, this line reads a bad address:
/* write the header */
*(outbuf[j]++) = type & 0xff;
Because outbuf is 3. This is because prior to the alignment code, outbuf is
NULL.
outbuf is set to s->rlayer->wbuf[0].buf, which at that point has been set to
NULL by the code guarded by
#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
in ssl3_write_bytes.
I'm sorry I can't give you a simple reproducer; I was able to reproduce it by
mailing very large files with our mail app. Eventually the Exchange server
fails and downstream code resets the write buffer and the multiblock code sets
s->rlayer->wbuf[0].buf to NULL.
The workaround is to compile with -DOPENSSL_NO_MULTIBLOCK -- I've verified
that this eliminates the crash in practice.
Feel free to email me if you want me to put in to some test code and reproduce
it.
Dave
Sent with [inky](http://inky.com?kme=signature)
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5478 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160720/072f5ae8/attachment.bin>
More information about the openssl-dev
mailing list