OS: Mac OS X 11.11.5 Version: OpenSSL 1.1-pre6 (head code as of yesterday) When the server fails under some circumstances, this line reads a bad address: /* write the header */ *(outbuf[j]++) = type & 0xff;
Because outbuf is 3. This is because prior to the alignment code, outbuf is NULL. outbuf is set to s->rlayer->wbuf[0].buf, which at that point has been set to NULL by the code guarded by #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK in ssl3_write_bytes. I'm sorry I can't give you a simple reproducer; I was able to reproduce it by mailing very large files with our mail app. Eventually the Exchange server fails and downstream code resets the write buffer and the multiblock code sets s->rlayer->wbuf[0].buf to NULL. The workaround is to compile with -DOPENSSL_NO_MULTIBLOCK -- I've verified that this eliminates the crash in practice. Feel free to email me if you want me to put in to some test code and reproduce it. Dave Sent with [inky](http://inky.com?kme=signature) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4618 Please log in as guest with password guest if prompted
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev