CC'ing tech@.

The last commit to bn_print.c is wrong, it dereferences t while it's still NULL.

Backout diff below.


On 2015/09/17 22:42, Mikolaj Kucharski wrote:
> Hi,
> 
> Does anyone see this as well? I've just upgraded to:
> 
> OpenBSD 5.8-current (GENERIC) #1164: Wed Sep 16 21:16:53 MDT 2015
>     dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> 
> and to openvpn-2.3.8 from packages but it segfaulted during connecting
> by remote client. Then I've recompiled by hand with DEBUG='-g' from
> ports and now running openvpn-2.3.8p1, but facing the same issue.
> 
> To be able to get core dump, needed to run openvpn as root, but the same
> segfault happens when openvpn drops priviliges.
> 
> Before that I was running snapshot from Aug 13 with packages and I
> didn't had that problem.
> 
> Let me know if you need any more info.
> 
> 
> # /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf --mtu-test
> Thu Sep 17 22:16:17 2015 OpenVPN 2.3.8 i386-unknown-openbsd5.8 [SSL 
> (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 17 2015
> Thu Sep 17 22:16:17 2015 library versions: LibreSSL 2.3.0, LZO 2.09
> Thu Sep 17 22:16:17 2015 mlockall call succeeded
> Thu Sep 17 22:16:17 2015 WARNING: you are using chroot without specifying 
> user and group -- this may cause the chroot jail to be insecure
> Thu Sep 17 22:16:22 2015 Diffie-Hellman initialized with 4096 bit key
> Thu Sep 17 22:16:22 2015 Control Channel Authentication: using 
> 'certs/hmac.key' as a OpenVPN static key file
> Thu Sep 17 22:16:22 2015 Outgoing Control Channel Authentication: Using 512 
> bit message hash 'SHA512' for HMAC authentication
> Thu Sep 17 22:16:22 2015 Incoming Control Channel Authentication: Using 512 
> bit message hash 'SHA512' for HMAC authentication
> Thu Sep 17 22:16:22 2015 Socket Buffers: R=[41600->65536] S=[9216->65536]
> Thu Sep 17 22:16:22 2015 TUN/TAP device tun2 exists previously, keep at 
> program end
> Thu Sep 17 22:16:22 2015 TUN/TAP device /dev/tun2 opened
> Thu Sep 17 22:16:22 2015 do_ifconfig, tt->ipv6=1, 
> tt->did_ifconfig_ipv6_setup=1
> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 192.168.202.1 192.168.202.1 mtu 
> 1500 netmask 255.255.255.0 up -link0
> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 inet6 
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1/64
> Thu Sep 17 22:16:22 2015 
> add_route_ipv6(2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:/64 -> 
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1 metric 0) dev tun2
> Thu Sep 17 22:16:22 2015 /sbin/route add -inet6 
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: -prefixlen 64 
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1
> route: writing to routing socket: File exists
> add net 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:: gateway 
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1: File exists
> Thu Sep 17 22:16:22 2015 ERROR: OpenBSD route add -inet6 command failed: 
> external program exited with error status: 1
> Thu Sep 17 22:16:22 2015 /sbin/route add -net 192.168.202.0 192.168.202.1 
> -netmask 255.255.255.0
> add net 192.168.202.0: gateway 192.168.202.1
> Thu Sep 17 22:16:22 2015 chroot to '/var/openvpn' and cd to '/' succeeded
> Thu Sep 17 22:16:22 2015 UDPv4 link local (bound): [undef]
> Thu Sep 17 22:16:22 2015 UDPv4 link remote: [undef]
> Thu Sep 17 22:16:22 2015 MULTI: multi_init called, r=256 v=256
> Thu Sep 17 22:16:22 2015 IFCONFIG POOL IPv6: (IPv4) size=252, 
> size_ipv6=65536, netbits=64, base_ipv6=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1000
> Thu Sep 17 22:16:22 2015 IFCONFIG POOL: base=192.168.202.2 size=252, ipv6=1
> Thu Sep 17 22:16:22 2015 Initialization Sequence Completed
> Thu Sep 17 22:16:32 2015 83.xxx.xxx.xxx:48100 TLS: Initial packet from 
> [AF_INET]83.xxx.xxx.xxx:48100, sid=41b68ea4 12015b6e
> Segmentation fault (core dumped) 
> 
> 
> 
> (gdb) bt
> #0  BN_bn2dec (a=0x805e8460) at 
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_print.c:117
> #1  0x179a2aa0 in backend_x509_get_serial (cert=0x8308b500, gc=0xcf7d0320) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:229
> #2  0x179a0345 in verify_cert_set_env (x509_track=<optimized out>, 
> common_name=<optimized out>, subject=<optimized out>, cert_depth=<optimized 
> out>, peer_cert=<optimized out>, es=0x78d2d230) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:438
> #3  verify_cert (session=0x8130a6bc, cert=0x8308b500, cert_depth=0) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:665
> #4  0x179a2d26 in verify_callback (preverify_ok=1, ctx=0xcf7d05d4) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:84
> #5  0x05aebfcf in internal_verify (ctx=0xcf7d05d4) at 
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1612
> #6  0x05aed6b2 in X509_verify_cert (ctx=0xcf7d05d4) at 
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:374
> #7  0x092eab0a in ssl_verify_cert_chain (s=0x87394000, sk=0x847b88c0) at 
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_cert.c:452
> #8  0x092e57d4 in ssl3_get_client_certificate (s=0x87394000) at 
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:2385
> #9  0x092e96e5 in ssl3_accept (s=0x87394000) at 
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:447
> #10 0x092d7f5a in ssl3_read_bytes (s=0x87394000, type=23, buf=0x87395800 "", 
> len=2048, peek=0) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_pkt.c:890
> #11 0x092d8f96 in ssl3_read_internal (s=0x87394000, buf=0x87395800, len=2048, 
> peek=0) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_lib.c:2743
> #12 0x092cb208 in SSL_read (s=0x78d2d720, buf=0x87395800, num=2048) at 
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:957
> #13 0x092c2736 in ssl_read (b=0x7af2d840, out=0x87395800 "", outl=2048) at 
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/bio_ssl.c:156
> #14 0x05b3e581 in BIO_read (b=0x7af2d840, out=0x87395800, outl=2048) at 
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bio_lib.c:217
> #15 0x1799cb4f in bio_read (bio=0x7af2d840, buf=0x8130a824, maxlen=2048, 
> desc=0x37948f3d "tls_read_plaintext") at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_openssl.c:1098
> #16 0x17999ee2 in tls_process (multi=0x8130a520, session=0x8130a6bc, 
> to_link=0x81309e90, to_link_addr=0xcf7d0b40, to_link_socket_info=0x85f054c4, 
> wakeup=0xcf7d0b84) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl.c:2411
> #17 0x1799c1e2 in tls_multi_process (multi=0x8130a520, to_link=0x81309e90, 
> to_link_addr=0x81309c34, to_link_socket_info=0x85f054c4, wakeup=0xcf7d0b84) 
> at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl.c:2635
> #18 0x1793e1f4 in check_tls_dowork (c=0x813096b0) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward.c:100
> #19 0x1793eb38 in check_tls (c=<optimized out>) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward-inline.h:41
> #20 pre_select (c=0x813096b0) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward.c:1331
> #21 0x1795faa6 in multi_process_post (m=0xcf7d0f44, mi=0x81309630, 
> flags=<optimized out>) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2050
> #22 0x17961d5a in multi_process_incoming_link (m=0xcf7d0f44, instance=0x0, 
> mpp_flags=5) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2293
> #23 0x1795b8ba in multi_process_io_udp (m=<optimized out>) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:173
> #24 tunnel_server_udp_single_threaded (top=<optimized out>) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:266
> #25 tunnel_server_udp (top=0xcf7d19b0) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:288
> #26 0x1795bcfd in tunnel_server (top=0xcf7d19b0) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2875
> #27 0x1796447c in openvpn_main (argv=<optimized out>, argc=<optimized out>) 
> at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/openvpn.c:271
> #28 main (argc=6, argv=0xcf7d2364) at 
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/openvpn.c:342
> (gdb)
> 
> 
> -- 
> best regards
> q#
> 

Index: src/crypto/bn/bn_print.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/bn/bn_print.c,v
retrieving revision 1.25
diff -u -p -r1.25 bn_print.c
--- src/crypto/bn/bn_print.c    13 Sep 2015 16:02:11 -0000      1.25
+++ src/crypto/bn/bn_print.c    17 Sep 2015 22:18:44 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.25 2015/09/13 16:02:11 deraadt Exp $ */
+/* $OpenBSD: bn_print.c,v 1.24 2015/09/13 15:59:29 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
  * All rights reserved.
  *
@@ -114,20 +114,6 @@ BN_bn2dec(const BIGNUM *a)
        BIGNUM *t = NULL;
        BN_ULONG *bn_data = NULL, *lp;
 
-       if (BN_is_zero(t)) {
-               buf = malloc(BN_is_negative(t) + 2);
-               if (buf == NULL) {
-                       BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
-                       goto err;
-               }               
-               p = buf;
-               if (BN_is_negative(t))
-                       *(p++) = '-';
-               *(p++) = '0';
-               *(p++) = '\0';
-               return (buf);
-       }
-               
        /* get an upper bound for the length of the decimal integer
         * num <= (BN_num_bits(a) + 1) * log(2)
         *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)
@@ -147,26 +133,31 @@ BN_bn2dec(const BIGNUM *a)
 #define BUF_REMAIN (num+3 - (size_t)(p - buf))
        p = buf;
        lp = bn_data;
-       if (BN_is_negative(t))
-               *p++ = '-';
+       if (BN_is_zero(t)) {
+               *(p++) = '0';
+               *(p++) = '\0';
+       } else {
+               if (BN_is_negative(t))
+                       *p++ = '-';
 
-       i = 0;
-       while (!BN_is_zero(t)) {
-               *lp = BN_div_word(t, BN_DEC_CONV);
-               lp++;
-       }
-       lp--;
-       /* We now have a series of blocks, BN_DEC_NUM chars
-        * in length, where the last one needs truncation.
-        * The blocks need to be reversed in order. */
-       snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
-       while (*p)
-               p++;
-       while (lp != bn_data) {
+               i = 0;
+               while (!BN_is_zero(t)) {
+                       *lp = BN_div_word(t, BN_DEC_CONV);
+                       lp++;
+               }
                lp--;
-               snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+               /* We now have a series of blocks, BN_DEC_NUM chars
+                * in length, where the last one needs truncation.
+                * The blocks need to be reversed in order. */
+               snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
                while (*p)
                        p++;
+               while (lp != bn_data) {
+                       lp--;
+                       snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+                       while (*p)
+                               p++;
+               }
        }
        ok = 1;
 

Reply via email to