[openssl-dev] [openssl.org #4545] Crash in crypto/rand/md_rand.c
Mick Saxton via RT
rt at openssl.org
Fri May 20 15:49:50 UTC 2016
Hi
Before going any further I would like to state that I have only seen this problem when we have 10000 or more concurrent connections.
Mostly we notice it on Windows but I have seen it on linux (Ubuntu).
I first noticed it when using v1.0.2d but have seen it again since upgrading to v1.0.2h.
It can happen in one of two places and results in a call to MD_Update with a negative value.
I have come up with a temporary fix which avoids the possibility of crashing at the expense of some randomness.
The system is very highly stressed at this point so debugging further is difficult.
The fix I am using is probably not what you eventually will want to implement but it does improve stability.
273: MD_Update(&m, &(state[st_idx]), (j - k) );
Change to
273: MD_Update(&m, &(state[st_idx]), (j - k) > 0 ? j - k : 1); // micks at 1e.com (j -k) must not be negative
And
495: MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k )
Change to
495: MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k > 0 ? MD_DIGEST_LENGTH / 2 - k : 1); // micks at 1e.com (j -k) must not be negative
I do have a test program which can reproduce this behaviour.
If I can be of further help - please contact me by email.
Regards
Mick Saxton
________________________________
Legal Notice: This email is intended only for the person(s) to whom it is addressed. If you are not an intended recipient and have received this message in error, please notify the sender immediately by replying to this email or calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any attachments may be privileged and/or confidential. The unauthorized use, disclosure, copying or printing of any information it contains is strictly prohibited. The opinions expressed in this email are those of the author and do not necessarily represent the views of 1E Ltd. Nothing in this email will operate to bind 1E to any order or other contract.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4545
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash.log
Type: application/octet-stream
Size: 1132 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160520/83efc891/attachment-0001.obj>
More information about the openssl-dev
mailing list