Libressl has a patch for this at: http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=cb8b51bf2f6517fe96ab0d20c4d9bba2eef1b67c
I believe that patch is not really the correct fix. My understanding is that "tot" is what is already written, and that "len" is until where we want to write and so that len should never be smaller than tot and I think we should instead find out why len can be smaller then tot and fix that instead. Kurt On Mon, Apr 21, 2014 at 05:40:01PM +0200, Ajit Menon via RT wrote: > Hi, > This happens in the 0.9.8 branch for sure (event in the latest y version). > Not sure if it is there in 1.x versions. > The problem is with code in s3_pkt.c: the ssl3_write_bytes() function. > Within this function, there is a line, n=(len-tot). Here if 'len' is less > than 'tot' then the result is a large value for n (n is unsigned) which is > then used to access memory. This causes a very large invalid memory to be > accessed and ultimately ends with an access violation type crash! > Now, I must say that openssl expects 'len' to be more than 'tot' or at least > equal to it. This is typically the case when the client retries a Write call > after an earlier one fails for WANT_READ or WANT_WRITE. > However, in this particular case, the client had a bug due to which it did > not retry the failed operation. Now, that would again typically cause OpenSSL > to detect that a new buf was used for the next operation and the next > operation can be errored out. > However, in this particular case, the client just reuses a fixed buffer and > it was sending new data that was much smaller than the previous failed data > send. > Ultimately it is a bug on the client side but adding a check at the OpenSSL > level for this case to see if len >= tot before making the arithmetic seems > like the appropriate thing to do. > Thanks, > Ajit > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
