[openssl.org #2615] BIO_flush segmentation fault with SSL BIO

Sat, 24 Sep 2011 11:31:33 -0700 

There appears to be a bug in the SSL bio (ssl/bio_ssl.c) when processing 
the BIO_flush() function.  This causes a segmentation fault on linux.

OpenSSL 0.9.8b 04 May 2006
built on: Mon Oct 15 17:44:48 EDT 2007
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) 
blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN 
-DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD5_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

Linux 2.6.25.6-27.fc8 #1 SMP Fri Jun 13 16:17:54 EDT 2008 x86_64 x86_64 
x86_64 GNU/Linux

Program received signal SIGSEGV, Segmentation fault.
0x024299f9 in BIO_copy_next_retry () from /lib/libcrypto.so.6
(gdb) bt
#0  0x024299f9 in BIO_copy_next_retry () from /lib/libcrypto.so.6
#1  0x066607f8 in ?? () from /lib/libssl.so.6
#2  0x02429d3a in BIO_ctrl () from /lib/libcrypto.so.6
#3  0x0809cdbd in ?? ()
#4  0x09df9338 in ?? ()
#5  0x0000000b in ?? ()
#6  0x00000000 in ?? ()

Looking at the source code (ssl/bio_ssl.c) in the ssl_ctrl() function 
for the BIO_CTRL_FLUSH case I see:

     case BIO_CTRL_FLUSH:
         BIO_clear_retry_flags(b);
         ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
         BIO_copy_next_retry(b);
         break;

The BIO_copy_next_retry(b) function will always cause a segmentation 
fault, because it dereferences the b->bio_next member, which for an SSL 
BIO, is always NULL.  The SSL BIO is not attached using BIO_push(), but 
by using SSL_set_bio() instead.  SSL_set_bio() attaches the next BIO to 
the SSL BIO's ssl->wbio and ssl->rbio members, leaving the SSL BIO's 
bio_next member NULL.

The code in ssl/bio_ssl.c could instead do:

         BIO_set_flags(b,BIO_get_retry_flags(ssl->wbio));
         b->retry_reason = ssl->wbio->retry_reason;

I have checked the latest source code (1.0.0e) and it has not changed 
from the version that I have.




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to