Red Hat Bugzilla – Bug 1323215
gnutls-serv --http crashes with client certificates with NSS client
Last modified: 2017-03-21 05:03:08 EDT
Created attachment 1142600 [details] Certificates Description of problem: When gnutls-serv is configured to request client certificates and work as an HTTP server, connections from NSS with client certificates cause the server to crash. Version-Release number of selected component (if applicable): gnutls-2.8.5-19.el6_7.x86_64 How reproducible: always Steps to Reproduce: 1. tar xzf certs.tar.gz 2. valgrind gnutls-serv --http -p 4433 --priority NORMAL:+VERS-TLS1.2 --x509keyfile rsa-server/key.pem --x509certfile <(cat 'rsa-server/cert.pem' 'rsa-ca/cert.pem') --x509cafile <(cat ca/cert.pem rsa-ca/cert.pem) --require-cert in another terminal: 3. /usr/lib64/nss/unsupported-tools/tstclnt -h localhost -p 4433 -d sql:./nssdb/ -n rsa-client -4 -V tls1.0: 4. enter "GET / HTTP/1.0" and two newlines to tstclnt Actual results: ==9241== Memcheck, a memory error detector ==9241== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==9241== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==9241== Command: gnutls-serv --http -p 4433 --priority NORMAL:+VERS-TLS1.2 --x509keyfile rsa-server/key.pem --x509certfile /dev/fd/63 --x509cafile /dev/fd/62 --require-cert ==9241== HTTP Server listening on 0.0.0.0 port 4433 family 2...done HTTP Server listening on :: port 4433 family 10...bind() failed: Address already in use ==9241== Conditional jump or move depends on uninitialised value(s) ==9241== at 0x4E55817: gnutls_session_get_id (gnutls_session.c:161) ==9241== by 0x40431E: peer_print_info (serv.c:501) ==9241== by 0x40638C: main (serv.c:759) ==9241== ==9241== Invalid write of size 1 ==9241== at 0x4C29C8C: strcat (mc_replace_strmem.c:267) ==9241== by 0x404637: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4042A8: peer_print_info (serv.c:494) ==9241== by 0x40638C: main (serv.c:759) ==9241== ==9241== Invalid write of size 1 ==9241== at 0x4C29C9F: strcat (mc_replace_strmem.c:267) ==9241== by 0x404637: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c64 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid read of size 1 ==9241== at 0x4C29FA4: strlen (mc_replace_strmem.c:403) ==9241== by 0x40463F: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4042A8: peer_print_info (serv.c:494) ==9241== by 0x40638C: main (serv.c:759) ==9241== ==9241== Invalid write of size 8 ==9241== at 0x40464F: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c64 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 1 ==9241== at 0x404652: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c6c is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid read of size 1 ==9241== at 0x4C29FA4: strlen (mc_replace_strmem.c:403) ==9241== by 0x404667: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4042A8: peer_print_info (serv.c:494) ==9241== by 0x40638C: main (serv.c:759) ==9241== ==9241== Invalid write of size 8 ==9241== at 0x404695: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c6c is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 8 ==9241== at 0x404698: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c74 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 8 ==9241== at 0x40469C: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c7c is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 8 ==9241== at 0x4046A0: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c84 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 2 ==9241== at 0x4046AA: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c8c is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid read of size 1 ==9241== at 0x4C29C74: strcat (mc_replace_strmem.c:267) ==9241== by 0x4046B4: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4042A8: peer_print_info (serv.c:494) ==9241== by 0x40638C: main (serv.c:759) ==9241== ==9241== Invalid write of size 1 ==9241== at 0x4C29C9F: strcat (mc_replace_strmem.c:267) ==9241== by 0x4046B4: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c8d is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid read of size 1 ==9241== at 0x4C29FA4: strlen (mc_replace_strmem.c:403) ==9241== by 0x4046BC: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4042A8: peer_print_info (serv.c:494) ==9241== by 0x40638C: main (serv.c:759) ==9241== ==9241== Invalid write of size 8 ==9241== at 0x4046C5: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c8d is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 2 ==9241== at 0x4046C8: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c95 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 1 ==9241== at 0x4046CE: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c97 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid read of size 1 ==9241== at 0x4C29FA4: strlen (mc_replace_strmem.c:403) ==9241== by 0x4046D6: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4042A8: peer_print_info (serv.c:494) ==9241== by 0x40638C: main (serv.c:759) ==9241== ==9241== Invalid write of size 8 ==9241== at 0x4046F3: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c9f is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 8 ==9241== at 0x4046F7: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613c97 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid write of size 2 ==9241== at 0x4046FA: peer_print_info (string3.h:144) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x6613ca7 is not stack'd, malloc'd or (recently) free'd ==9241== ==9241== Invalid read of size 1 ==9241== at 0x4C29FA4: strlen (mc_replace_strmem.c:403) ==9241== by 0x404704: peer_print_info (serv.c:621) ==9241== by 0x40638C: main (serv.c:759) ==9241== Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4042A8: peer_print_info (serv.c:494) ==9241== by 0x40638C: main (serv.c:759) ==9241== --9241-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting --9241-- si_code=80; Faulting address: 0x0; sp: 0x4030bbdd0 valgrind: the 'impossible' happened: Killed by fatal signal ==9241== at 0x3803EC04: vgPlain_arena_malloc (m_mallocfree.c:291) ==9241== by 0x38003C34: vgMemCheck_new_block (mc_malloc_wrappers.c:263) ==9241== by 0x3800409A: vgMemCheck_malloc (mc_malloc_wrappers.c:301) ==9241== by 0x3807A58A: vgPlain_scheduler (scheduler.c:1665) ==9241== by 0x380A6409: run_a_thread_NORETURN (syswrap-linux.c:103) sched status: running_tid=1 Thread 1: status = VgTs_Runnable ==9241== at 0x4C28A2E: malloc (vg_replace_malloc.c:270) ==9241== by 0x4E470A6: _gnutls_send_int (gnutls_record.c:404) ==9241== by 0x405B8D: main (serv.c:1336) Note: see also the FAQ in the source distribution. It contains workarounds to several common problems. In particular, if Valgrind aborted or crashed after identifying problems in your program, there's a good chance that fixing those problems will prevent Valgrind aborting or crashing, especially if it happened in m_mallocfree.c. If that doesn't help, please report this bug to: www.valgrind.org In the bug report, send all the above text, the valgrind version, and what OS and version you are using. Thanks. Expected results: HTML with description of the connection Additional info:
Created attachment 1142614 [details] Nikos proposed patch Patch proposed by Nikos to fix it (untested)
Verified that this is addressed with the 2.12.x rebase.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0574.html