Skip Menu |
 
Ticket metadata
The Basics
Id: 1923
Status: resolved
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

People
Owner: Stephen Henson
Requestors: Daniel Mentz
Cc:
AdminCc:

More about the requestors

Daniel Mentz

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Unprivileged
  • Everyone

New reminder:
Subject:
Owner:
Due:

Dates
Created: Mon May 11 09:07:02 2009
Starts: Not set
Started: Not set
Last Contact: Tue May 12 16:43:27 2009
Due: Not set
Closed: Wed May 13 13:53:24 2009
Updated: Wed May 13 13:53:24 2009 by Stephen Henson



Subject: dtls1_retrieve_buffered_fragment: Read from freed data structure
Date: Sun, 10 May 2009 20:18:21 +0200
To: rt@openssl.org
From: Daniel Mentz <daniel.m@sent.com>
Download (untitled) / with headers
text/plain 925b
This is a bug report.
Version: openssl-1.0.0-beta2
OS: Ubuntu 9.04, Linux 2.6.28-11-generic #42-Ubuntu SMP

When I run

./openssl s_server -dtls1 -no_ecdhe -timeout -cert large.pem

against

./openssl s_client -dtls1

I'll get a Segmentation fault on the client side. I attached the
certificate (including the private key) to this bug report. GDB told me
that the error happened at d1_both.c:539:

return frag->msg_header.frag_len;

The pointer frag was freed 6 lines above. So I guess the problem is that
this function accesses a data structure that has already been freed. To
fix this bug I created a temporary variable and copied the value of
frag->msg_header.frag_len into that variable right before the call to
free(). The return statement then uses this copy instead of accessing
already freed memory.
With this change applied s_client does not crash any more. I attached
the patch to this bug report.

-Daniel
Download large.pem
text/plain 3.6k
-----BEGIN CERTIFICATE-----
MIIFwzCCBKugAwIBAgIJAIsAUklUWDcIMA0GCSqGSIb3DQEBBQUAMIHwMQ0wCwYD
VQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQD
EwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRU
ZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0
MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0w
CwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MQ0wCwYDVQQDEwRUZXN0MB4XDTA5
MDUwOTE5NDMyNloXDTA5MDYwODE5NDMyNlowgfAxDTALBgNVBAMTBFRlc3QxDTAL
BgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNV
BAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMT
BFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRl
c3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3Qx
DTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC+RXuPJlzR8AXeg7GdydCZeF/ylGWBiB/mRTb+B5DSf/ab
76UfcIjLTVzIxmueJtbHLfEPAoL5P/lS1s5V2DN0FvcQ1KXOuV3px9ar1kH6tLQS
qQggtb4OxXARmk30c9cWJKoUZs0PPNMUnqa9TE93Z6sFRW/5L8m2aJgB034MPVQm
tfhOpJC1ytqv/wtCsc9UAhBorJS0tIE7kmTObnzus5siBYGZBFr9CQZv570tbn8I
mgbja0C9y8dbaWDjJYVgJaDa+1+GtHTMSUywmM3M1Hy67s8B8Bm3cj6E1NFHyfJ0
SzArG8V1PG2x03w9mPZHRf0dfHF00ZkRVBpU6zlDAgMBAAGjggFcMIIBWDAdBgNV
HQ4EFgQU0R1M3szDaAPxniJnxIlRUf04R4IwggEnBgNVHSMEggEeMIIBGoAU0R1M
3szDaAPxniJnxIlRUf04R4KhgfakgfMwgfAxDTALBgNVBAMTBFRlc3QxDTALBgNV
BAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMT
BFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRl
c3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3Qx
DTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3QxDTAL
BgNVBAMTBFRlc3QxDTALBgNVBAMTBFRlc3SCCQCLAFJJVFg3CDAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCWQ7pPre9gFX4mDlX0hCOCmJ/cWXV8HgtJ
K00ekhy+gwHpDT6579HfRoY6uwqWnuhnpPFqcq3/8ea6O8QxcMugTzBbVUopclss
s8e6xC6FT709hMcb/ujCP6BdtNjLW5wVJ1Kao7H+TL5lbegMtwyeyeVhkGgmCk2s
+cN+yaG1kEsrpmGzgAZtzRm2f9wetb9zKodBM0eJL6erwy94QYd8TyPV3BBESrTM
1TLN702/7tVq0YnWYZhDHwgUZkJQAxa+EutPHm6jvgkQBD6gWiDMHCfoEY83YpLp
w9UaRrjPGOu4cFAaS8r5/kCtM9geChqdh21nDTQr1fPvucoA2ZzK
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvkV7jyZc0fAF3oOxncnQmXhf8pRlgYgf5kU2/geQ0n/2m++l
H3CIy01cyMZrnibWxy3xDwKC+T/5UtbOVdgzdBb3ENSlzrld6cfWq9ZB+rS0EqkI
ILW+DsVwEZpN9HPXFiSqFGbNDzzTFJ6mvUxPd2erBUVv+S/JtmiYAdN+DD1UJrX4
TqSQtcrar/8LQrHPVAIQaKyUtLSBO5Jkzm587rObIgWBmQRa/QkGb+e9LW5/CJoG
42tAvcvHW2lg4yWFYCWg2vtfhrR0zElMsJjNzNR8uu7PAfAZt3I+hNTRR8nydEsw
KxvFdTxtsdN8PZj2R0X9HXxxdNGZEVQaVOs5QwIDAQABAoIBADEZnRkDvVAvsFQL
h/o/6iSwe5IN2WPjzNePZPGI4kZv3yO+Y84JLEPKYvcsvPjC7QnZQSuuaj4H1D8c
T4K3mA+NHZSqS19dVm7NswgE8mHP3+gw1ngabkFBkfn458T9X7PHIlzBaolUGORp
TH3tA1S829UwZgTX4CXCN/fAq/ZcKu6P0CqEDEof1s4mY/9qUGrrJtfIgYPwhIpe
RJ2TsemH2YP4btNIE1jJahwc1ZIZuIitiJrK1jAg18i5SZ3l86RdScNNkP6MN1Ni
j0fWJDl5F4A38UjmsI06a6u5LonTfztD8kZ3/GMM7fbYXt/phU/6Zzj8q9kn8MNF
T2InaYECgYEA7iBR5ccNxeNLXnGUL6ZPGxsb5+3YXSrf20eQ16HO9qfJYJYks6c7
KybAwqznC85vahX0AtT0wAQr/oujMftKbQA6+yriO6u93RYFuyH7G/TT4oKWG6Jy
NyXeS9PBSd1OADWYmpB2CcQugU88RZq5rvMPzjnlHaxTaz/6I8igpoUCgYEAzI2d
fehnOBRvAIM+QvCx530F2+bblZBW0hwq+2+V2C5ONYYJNW0zaPtjGr9DwV8/1D7Z
GXxeBrwuj0RA8MuGi77XyMwU9SuoCFawhBQ5ulOP95D/jNnr8MyB5BEnec64159J
Bk8rYauVx4Os7KQywbxcGUhJBm9OzQMm0d0U3ycCgYEAqh12xIN+yGdHubHEXoIe
M0wblIYrMuvlPn8S76lN9JILYDADCkEnGP23aZwh9yJEH/KM/tTqAJ86Wr+hF5zh
H5uxhyussVpQ6jfIYla1UNSH5mLKH/XeSJ2KAHvHsyAhkC651Xnsia+YVZKoiUUu
79f+66Ialyc79PuglJ3Ifw0CgYEAgKvAWvg7Haq03ISyQJd5wV0Ct34zuJRQGOEB
JKLfhloydja3SjVD9pDTmXqg213YH+Hc3Mw/tUrgmtxbYV0VaIiG4leGA2cPzxcA
+ERkv9FaqWc7aVWXtiRevKERzOx9l50p6V8ZsdmmYRdySnVLPFUJNhojXXnc/tcx
rye7vlcCgYBauOpZ7tvpkd7gckpFbYU1vzgGgytmuYPIKwOqcW2Rwwn1IFmXnFu7
s/z5rs3UZX193sF6E1KzTddvqZOXWWiZbUI6xJkDRxbfjEG4qHu4tR2xIbKMI5w9
Jl/qnY8pgBTNgLeGmqaX5Tj6JZF+uIExdOP20YXWW+BTd1l/5rMyHQ==
-----END RSA PRIVATE KEY-----
--- ../vanilla/openssl-1.0.0-beta2/ssl/d1_both.c 2009-04-19 20:03:11.000000000 +0200
+++ ssl/d1_both.c 2009-05-10 19:47:42.000000000 +0200
@@ -530,13 +530,14 @@
frag->fragment,frag->msg_header.frag_len);
}

+ unsigned long frag_len = frag->msg_header.frag_len;
dtls1_hm_fragment_free(frag);
pitem_free(item);

if (al==0)
{
*ok = 1;
- return frag->msg_header.frag_len;
+ return frag_len;
}

ssl3_send_alert(s,SSL3_AL_FATAL,al);
Subject: [openssl.org #1923] dtls1_retrieve_buffered_fragment: Read from freed data structure
Date: Tue, 12 May 2009 17:37:47 +0200
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled) / with headers
text/plain 657b
This suggested patch is not conform to ANSI C. The declaration of
variables always has to be done at the beginning of their scope:


--- ssl/d1_both.c 2009-04-19 20:03:11.000000000 +0200
+++ ssl/d1_both.c 2009-05-12 09:23:30.000000000 +0200
@@ -519,6 +519,8 @@

if ( s->d1->handshake_read_seq == frag->msg_header.seq)
{
+ unsigned long frag_len = frag->msg_header.frag_len;
+
pqueue_pop(s->d1->buffered_messages);

al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@@ -536,7 +538,7 @@
if (al==0)
{
*ok = 1;
- return frag->msg_header.frag_len;
+ return frag_len;
}

ssl3_send_alert(s,SSL3_AL_FATAL,al);
Patches were corrupted so I applied them manually. Ticket resolved.