Hi
I found a bug in add_cert_dir() in crypto/x509/by_dir.c, which is getting
called through
SSL_CTX_load_verify_locations() specifying a path directory.
The bug was found in OpenSSL v0.9.8e but still remains in v0.9.8h.
If you call SSL_CTX_load_verify_locations specifying the same path more than
once, the code in add_cert_dir() will notice that the entry is already in the
cache, and it will hit the continue at line 205 and it will continue to move
the p pointer ahead, which will end up looking past the memory allocated for
the path specified by the caller. This can cause a crash if the code moves the
pointer to an invalid address or cause memory leaks when it finds random
strings in the memory address past the path name and adds it to the cache.
The code in question is:
for (;;p++)
{
if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
{
ss=s;
s=p+1;
len=(int)(p-ss);
if (len == 0) continue;
for (j=0; j<ctx->num_dirs; j++)
if (strlen(ctx->dirs[j]) == (size_t)len &&
strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0)
break;
if (j<ctx->num_dirs)
continue;
When the code finds the entry in the ctx->dirs cache, it will continue but if
that was the last entry, it will keep looping through because it din't check
that it was the last entry so doesn't need to keep going.
Some pseudo-code for example, assuming "/tmp" is valid:
#include <openssl/ssl.h>#include <openssl/err.h>int main(void){SSL_CTX
*ssl_ctx;int i;
SSL_library_init();SSL_load_error_strings();ssl_ctx =
SSL_CTX_new(SSLv23_server_method());
for (i = 0; i < 2; i++)
{ if (!SSL_CTX_load_verify_locations(ssl_ctx, NULL, "/tmp")) {
printf("error = %lu\n", ERR_get_error());}
}
return 0;}
_________________________________________________________________
Your PC, mobile phone, and online services work together like never before.
http://clk.atdmt.com/MRT/go/108587394/direct/01/
Hi
I found a bug in add_cert_dir() in crypto/x509/by_dir.c, which is getting called through
SSL_CTX_load_verify_locations() specifying a path directory.
The bug was found in OpenSSL v0.9.8e but still remains in v0.9.8h.
If you call SSL_CTX_load_verify_locations specifying the same path more than once, the code in add_cert_dir() will notice that the entry is already in the cache, and it will hit the continue at line 205 and it will continue to move the p pointer ahead, which will end up looking past the memory allocated for the path specified by the caller. This can cause a crash if the code moves the pointer to an invalid address or cause memory leaks when it finds random strings in the memory address past the path name and adds it to the cache.
The code in question is:
for (;;p++)
{
if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
{
ss=s;
s=p+1;
len=(int)(p-ss);
if (len == 0) continue;
for (j=0; j<ctx->num_dirs; j++)
if (strlen(ctx->dirs[j]) == (size_t)len &&
strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0)
break;
if (j<ctx->num_dirs)
continue;
When the code finds the entry in the ctx->dirs cache, it will continue but if that was the last entry, it will keep looping through because it din't check that it was the last entry so doesn't need to keep going.
Some pseudo-code for example, assuming "/tmp" is valid:
#include <openssl/ssl.h>
#include <openssl/err.h>
int main(void)
{
SSL_CTX *ssl_ctx;
int i;
SSL_library_init();
SSL_load_error_strings();
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
for (i = 0; i < 2; i++)
{
if (!SSL_CTX_load_verify_locations(ssl_ctx, NULL, "/tmp")) {
printf("error = %lu\n", ERR_get_error());
}
}
return 0;
}
Your PC, mobile phone, and online services work together like never before. See how Windows® fits your life
|
