[openssl-dev] [openssl.org #4467] SSL_Connect crashed

Viktor Dukhovni via RT rt at openssl.org
Mon Mar 21 16:10:19 UTC 2016

> On Mar 21, 2016, at 11:51 AM, Tiantian Liu via RT <rt at openssl.org> wrote:
> srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback = 0, SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0,
>    login = 0x44454c4c <Address 0x44454c4c out of bounds>, N = 0x9a285f8, g = 0x61, s = 0x9a29820, B = 0xdbd150, A = 0x0, a = 0x4, b = 0x18, v = 0x18, info = 0x9a298d0 "", strength = 0,
>    srp_Mask = 0}
> (gdb) n
> Program received signal SIGSEGV, Segmentation fault.
> 0x008283cc in ssl3_connect () from /usr/lib/libssl.so.1.0.0
> (gdb) quit
> The SSL structure was returned by SSL_new(), and we didn't touch the SSL structure before we calling SSL_Connect().
> The only suspicious value I found is the  'out of bounds' error upon 'login' field. But I don't think it caused the crash.

Interestingly, "0x44454c4c" is "DELL".  In OpenSSL the SSL_new() function
zeros the SSL structure when it is allocated.  So that "DELL" clobbered
the "login" pointer after the structure was allocated in SSL_new().

Are you using SRP?  One would expect the entire SRP context to be zeroed
otherwise...  Either something is clobbering memory, or you may be using
SRP incorrectly.


Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4467
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list