Hi, This happens in the 0.9.8 branch for sure (event in the latest y version). Not sure if it is there in 1.x versions. The problem is with code in s3_pkt.c: the ssl3_write_bytes() function. Within this function, there is a line, n=(len-tot). Here if 'len' is less than 'tot' then the result is a large value for n (n is unsigned) which is then used to access memory. This causes a very large invalid memory to be accessed and ultimately ends with an access violation type crash! Now, I must say that openssl expects 'len' to be more than 'tot' or at least equal to it. This is typically the case when the client retries a Write call after an earlier one fails for WANT_READ or WANT_WRITE. However, in this particular case, the client had a bug due to which it did not retry the failed operation. Now, that would again typically cause OpenSSL to detect that a new buf was used for the next operation and the next operation can be errored out. However, in this particular case, the client just reuses a fixed buffer and it was sending new data that was much smaller than the previous failed data send. Ultimately it is a bug on the client side but adding a check at the OpenSSL level for this case to see if len >= tot before making the arithmetic seems like the appropriate thing to do. Thanks, Ajit
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
