Title: RE: bug in EVP_MD_CTX_copy()

Bharath are u from Chennai?

-----Original Message-----
From: T Bharath [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 23, 2001 1:34 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: bug in EVP_MD_CTX_copy()

Iam trying to use openssl in my app and boundschecker was giving the
following error
        stack memory overrun
        Copying 96 bytes to ctx.digest
        Starting offset 0,destination size:4 bytes
The callstack details are

EVP_MD_CTX_copy()     \crypto\evp\digest.c       line no 90
ssl3_handshake_mac()   \ssl\s3_enc.c             434
ssl3_final_finish_mac()  \ssl\s3_enc.c           419
ssl3_send_finished()     \ssl\s3_both.c         155
ssl3_connect()          \ssl\s3_clnt.c          329
SSL_connect()           \ssl\ssl_lib.c          727
ssl23_get_server_hello() \ssl\s23_clnt.c        469
ssl23_connect()          \ssl\ssl_clnt.c        179
SSL_connect()            \ssl\ssl_lib.c         727

Taking a closer look i found that in
ssl3_handshake_mac() we have instantiated  EVP_MD_CTX ctx;
and then call EVP_MD_CTX_copy(&ctx,in_ctx) inside which we do a memcpy
Now ctx has a pointer member    const EVP_MD *digest;
When we instantiate ctx ,digest being a member pointer does not get
allocated any memory and when we do the memcpy inside EVP_MD_CTX_copy
we are copying data into a dangling pointer.Shouldnt we allocate memory
to ctx.digest before calling EVP_MD_CTX_copy.
Iam using openssl-0.9.5a but i checked the latest openssl-0.9.6
engine.This bug is still there





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to