This is a bug report.
Version: openssl-1.0.0-beta2
OS: Ubuntu 9.04, Linux 2.6.28-11-generic #42-Ubuntu SMP
When I run
./openssl s_server -dtls1 -no_ecdhe -timeout -cert large.pem
against
./openssl s_client -dtls1
I'll get a Segmentation fault on the client side. I attached the
certificate (including the private key) to this bug report. GDB told me
that the error happened at d1_both.c:539:
return frag->msg_header.frag_len;
The pointer frag was freed 6 lines above. So I guess the problem is that
this function accesses a data structure that has already been freed. To
fix this bug I created a temporary variable and copied the value of
frag->msg_header.frag_len into that variable right before the call to
free(). The return statement then uses this copy instead of accessing
already freed memory.
With this change applied s_client does not crash any more. I attached
the patch to this bug report.
-Daniel
-----BEGIN CERTIFICATE-----
MIIFwzCCBKugAwIBAgIJAIsAUklUWDcIMA0GCSqGSIb3DQEBBQUAMIHwMQ0wCwYD
VQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQD
EwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRU
ZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0
MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0w
CwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MB4XDTA5
MDUwOTE5NDMyNloXDTA5MDYwODE5NDMyNlowgfAxDTALBgNVBAMTBFRlc3QxDTAL
BgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNV
BAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMT
BFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRl
c3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3Qx
DTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC+RXuPJlzR8AXeg7GdydCZeF/ylGWBiB/mRTb+B5DSf/ab
76UfcIjLTVzIxmueJtbHLfEPAoL5P/lS1s5V2DN0FvcQ1KXOuV3px9ar1kH6tLQS
qQggtb4OxXARmk30c9cWJKoUZs0PPNMUnqa9TE93Z6sFRW/5L8m2aJgB034MPVQm
tfhOpJC1ytqv/wtCsc9UAhBorJS0tIE7kmTObnzus5siBYGZBFr9CQZv570tbn8I
mgbja0C9y8dbaWDjJYVgJaDa+1+GtHTMSUywmM3M1Hy67s8B8Bm3cj6E1NFHyfJ0
SzArG8V1PG2x03w9mPZHRf0dfHF00ZkRVBpU6zlDAgMBAAGjggFcMIIBWDAdBgNV
HQ4EFgQU0R1M3szDaAPxniJnxIlRUf04R4IwggEnBgNVHSMEggEeMIIBGoAU0R1M
3szDaAPxniJnxIlRUf04R4KhgfakgfMwgfAxDTALBgNVBAMTBFRlc3QxDTALBgNV
BAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMT
BFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRl
c3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3Qx
DTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTAL
BgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3SCCQCLAFJJVFg3CDAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCWQ7pPre9gFX4mDlX0hCOCmJ/cWXV8HgtJ
K00ekhy+gwHpDT6579HfRoY6uwqWnuhnpPFqcq3/8ea6O8QxcMugTzBbVUopclss
s8e6xC6FT709hMcb/ujCP6BdtNjLW5wVJ1Kao7H+TL5lbegMtwyeyeVhkGgmCk2s
+cN+yaG1kEsrpmGzgAZtzRm2f9wetb9zKodBM0eJL6erwy94QYd8TyPV3BBESrTM
1TLN702/7tVq0YnWYZhDHwgUZkJQAxa+EutPHm6jvgkQBD6gWiDMHCfoEY83YpLp
w9UaRrjPGOu4cFAaS8r5/kCtM9geChqdh21nDTQr1fPvucoA2ZzK
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvkV7jyZc0fAF3oOxncnQmXhf8pRlgYgf5kU2/geQ0n/2m++l
H3CIy01cyMZrnibWxy3xDwKC+T/5UtbOVdgzdBb3ENSlzrld6cfWq9ZB+rS0EqkI
ILW+DsVwEZpN9HPXFiSqFGbNDzzTFJ6mvUxPd2erBUVv+S/JtmiYAdN+DD1UJrX4
TqSQtcrar/8LQrHPVAIQaKyUtLSBO5Jkzm587rObIgWBmQRa/QkGb+e9LW5/CJoG
42tAvcvHW2lg4yWFYCWg2vtfhrR0zElMsJjNzNR8uu7PAfAZt3I+hNTRR8nydEsw
KxvFdTxtsdN8PZj2R0X9HXxxdNGZEVQaVOs5QwIDAQABAoIBADEZnRkDvVAvsFQL
h/o/6iSwe5IN2WPjzNePZPGI4kZv3yO+Y84JLEPKYvcsvPjC7QnZQSuuaj4H1D8c
T4K3mA+NHZSqS19dVm7NswgE8mHP3+gw1ngabkFBkfn458T9X7PHIlzBaolUGORp
TH3tA1S829UwZgTX4CXCN/fAq/ZcKu6P0CqEDEof1s4mY/9qUGrrJtfIgYPwhIpe
RJ2TsemH2YP4btNIE1jJahwc1ZIZuIitiJrK1jAg18i5SZ3l86RdScNNkP6MN1Ni
j0fWJDl5F4A38UjmsI06a6u5LonTfztD8kZ3/GMM7fbYXt/phU/6Zzj8q9kn8MNF
T2InaYECgYEA7iBR5ccNxeNLXnGUL6ZPGxsb5+3YXSrf20eQ16HO9qfJYJYks6c7
KybAwqznC85vahX0AtT0wAQr/oujMftKbQA6+yriO6u93RYFuyH7G/TT4oKWG6Jy
NyXeS9PBSd1OADWYmpB2CcQugU88RZq5rvMPzjnlHaxTaz/6I8igpoUCgYEAzI2d
fehnOBRvAIM+QvCx530F2+bblZBW0hwq+2+V2C5ONYYJNW0zaPtjGr9DwV8/1D7Z
GXxeBrwuj0RA8MuGi77XyMwU9SuoCFawhBQ5ulOP95D/jNnr8MyB5BEnec64159J
Bk8rYauVx4Os7KQywbxcGUhJBm9OzQMm0d0U3ycCgYEAqh12xIN+yGdHubHEXoIe
M0wblIYrMuvlPn8S76lN9JILYDADCkEnGP23aZwh9yJEH/KM/tTqAJ86Wr+hF5zh
H5uxhyussVpQ6jfIYla1UNSH5mLKH/XeSJ2KAHvHsyAhkC651Xnsia+YVZKoiUUu
79f+66Ialyc79PuglJ3Ifw0CgYEAgKvAWvg7Haq03ISyQJd5wV0Ct34zuJRQGOEB
JKLfhloydja3SjVD9pDTmXqg213YH+Hc3Mw/tUrgmtxbYV0VaIiG4leGA2cPzxcA
+ERkv9FaqWc7aVWXtiRevKERzOx9l50p6V8ZsdmmYRdySnVLPFUJNhojXXnc/tcx
rye7vlcCgYBauOpZ7tvpkd7gckpFbYU1vzgGgytmuYPIKwOqcW2Rwwn1IFmXnFu7
s/z5rs3UZX193sF6E1KzTddvqZOXWWiZbUI6xJkDRxbfjEG4qHu4tR2xIbKMI5w9
Jl/qnY8pgBTNgLeGmqaX5Tj6JZF+uIExdOP20YXWW+BTd1l/5rMyHQ==
-----END RSA PRIVATE KEY-----
--- ../vanilla/openssl-1.0.0-beta2/ssl/d1_both.c 2009-04-19 20:03:11.000000000 +0200
+++ ssl/d1_both.c 2009-05-10 19:47:42.000000000 +0200
@@ -530,13 +530,14 @@
frag->fragment,frag->msg_header.frag_len);
}
+ unsigned long frag_len = frag->msg_header.frag_len;
dtls1_hm_fragment_free(frag);
pitem_free(item);
if (al==0)
{
*ok = 1;
- return frag->msg_header.frag_len;
+ return frag_len;
}
ssl3_send_alert(s,SSL3_AL_FATAL,al);
