T Bharath wrote:
>
> Iam trying to use openssl in my app and boundschecker was giving the
> following error
> stack memory overrun
> Copying 96 bytes to ctx.digest
> Starting offset 0,destination size:4 bytes
> The callstack details are
>
> EVP_MD_CTX_copy() \crypto\evp\digest.c line no 90
> ssl3_handshake_mac() \ssl\s3_enc.c 434
> ssl3_final_finish_mac() \ssl\s3_enc.c 419
> ssl3_send_finished() \ssl\s3_both.c 155
> ssl3_connect() \ssl\s3_clnt.c 329
> SSL_connect() \ssl\ssl_lib.c 727
> ssl23_get_server_hello() \ssl\s23_clnt.c 469
> ssl23_connect() \ssl\ssl_clnt.c 179
> SSL_connect() \ssl\ssl_lib.c 727
>
> Taking a closer look i found that in
> ssl3_handshake_mac() we have instantiated EVP_MD_CTX ctx;
> and then call EVP_MD_CTX_copy(&ctx,in_ctx) inside which we do a memcpy
> Now ctx has a pointer member const EVP_MD *digest;
> When we instantiate ctx ,digest being a member pointer does not get
> allocated any memory and when we do the memcpy inside EVP_MD_CTX_copy
> we are copying data into a dangling pointer.Shouldnt we allocate memory
> to ctx.digest before calling EVP_MD_CTX_copy.
> Iam using openssl-0.9.5a but i checked the latest openssl-0.9.6
> engine.This bug is still there
What the call does is to copy the EVP_MD_CTX structure using memcpy. It
is writing the *pointer* in_ctx.digest to ctx.digest.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
