I have found a bug which reproduces after you try to unwind OpenSSL error stack with errors from dynamic engine after unloading this engine.
The point is that error reporting function ERR_put_error which is often called with __FILE__ macro for it's char *file argument stores this pointer in es->err_file[es->top]=file; structure and when we try to print this error after unloading engine we got Access Violation because err_file pointer is invalid. You can easily reproduce this with ibm pkcs11 engine from opencryptoki http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/openssl-ibmpkcs11;a=summary by running openssl engine -vvvv dynamic -pre SO_PATH:ibm_pkcs11.dll -pre LOAD Engine reports some errors during bind call then openssl unloads it then tries to show errors and then crashes. And the second question is: how is it even work? How can we store temporary char array using bare char* pointer? Shouldn't ERR_STATE structure contain buffers for this strings and string should be copied? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
