[openssl-dev] [openssl.org #4467] SSL_Connect crashed
Viktor Dukhovni via RT
rt at openssl.org
Mon Mar 21 16:10:19 UTC 2016
> On Mar 21, 2016, at 11:51 AM, Tiantian Liu via RT <rt at openssl.org> wrote:
>
>
> srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback = 0, SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0,
> login = 0x44454c4c <Address 0x44454c4c out of bounds>, N = 0x9a285f8, g = 0x61, s = 0x9a29820, B = 0xdbd150, A = 0x0, a = 0x4, b = 0x18, v = 0x18, info = 0x9a298d0 "", strength = 0,
> srp_Mask = 0}
> (gdb) n
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x008283cc in ssl3_connect () from /usr/lib/libssl.so.1.0.0
> (gdb) quit
>
> The SSL structure was returned by SSL_new(), and we didn't touch the SSL structure before we calling SSL_Connect().
> The only suspicious value I found is the 'out of bounds' error upon 'login' field. But I don't think it caused the crash.
Interestingly, "0x44454c4c" is "DELL". In OpenSSL the SSL_new() function
zeros the SSL structure when it is allocated. So that "DELL" clobbered
the "login" pointer after the structure was allocated in SSL_new().
Are you using SRP? One would expect the entire SRP context to be zeroed
otherwise... Either something is clobbering memory, or you may be using
SRP incorrectly.
--
Viktor.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4467
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list