Bug 316541 - openssl: Crash in ssl3_write_pending() during establishing SSL connection
Summary: openssl: Crash in ssl3_write_pending() during establishing SSL connection
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 7
Hardware: i386
OS: Linux
low
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-03 08:51 UTC by Jiri Klimes
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-04 07:33:00 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jiri Klimes 2007-10-03 08:51:52 UTC 
Description of problem:
I add TLS/SSL capability for my application. It should behave as a TLS/SSL client.
However during connection establishment the program crashes in libssl library -
segfault.

Here is the stack from core dump:
[jirka@localhost src]$ gdb ./sipte core.5978
GNU gdb Red Hat Linux (6.6-15.fc7rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libssl.so.6...Reading symbols from
/usr/lib/debug/lib/libssl.so.0.9.8b.debug...done.
done.
Loaded symbols for /lib/libssl.so.6
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libcrypto.so.6...Reading symbols from
/usr/lib/debug/lib/libcrypto.so.0.9.8b.debug...done.
done.
Loaded symbols for /lib/libcrypto.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/lib/libgssapi_krb5.so.2...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib/libkrb5.so.3...done.
Loaded symbols for /usr/lib/libkrb5.so.3
Reading symbols from /lib/libcom_err.so.2...done.
Loaded symbols for /lib/libcom_err.so.2
Reading symbols from /usr/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/lib/libk5crypto.so.3
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /usr/lib/libkrb5support.so.0...done.
Loaded symbols for /usr/lib/libkrb5support.so.0
Reading symbols from /lib/libkeyutils.so.1...done.
Loaded symbols for /lib/libkeyuCore was generated by `./sipte -i netctl2.in
-TLS_VER tls1'.
Program terminated with signal 11, Segmentation fault.
#0  0x022af3cf in ssl3_write_pending (s=0xbec0e80, type=22, buf=0xbec16e8
"\2009�\v�\017�\v", len=96) at s3_pkt.c:754
754                     if (i == s->s3->wbuf.left)
(gdb) bt
#0  0x022af3cf in ssl3_write_pending (s=0xbec0e80, type=22, buf=0xbec16e8
"\2009�\v�\017�\v", len=96) at s3_pkt.c:754
#1  0x022af6d9 in do_ssl3_write (s=0xbec0e80, type=22, buf=0xbec16e8
"\2009�\v�\017�\v", len=96, create_empty_fragment=0)
    at s3_pkt.c:718
#2  0x022af9d4 in ssl3_write_bytes (s=0xbec0e80, type=22, buf_=0xbec16e8,
len=96) at s3_pkt.c:547
#3  0x022b19b0 in ssl3_do_write (s=0xbec0e80, type=22) at s3_both.c:132
#4  0x022ab30c in ssl3_client_hello (s=0xbec0e80) at s3_clnt.c:616
#5  0x022aca85 in ssl3_connect (s=0xbec0e80) at s3_clnt.c:243
#6  0x022bd7bd in SSL_do_handshake (s=0xbec0e80) at ssl_lib.c:2042
#7  0x08099392 in process_net_ctl ()
#8  0x0809a3fa in process_exec_queue ()
#9  0x0809a890 in execute_input_script ()
#10 0x0808f195 in main ()
(gdb)

Version-Release number of selected component (if applicable):
Linux localhost.localdomain 2.6.22.7-85.fc7 #1 SMP Fri Sep 21 19:53:05 EDT 2007
i686 i686 i386 GNU/Linux
openssl-0.9.8b-14.fc7


How reproducible:
It occurs quite regularly (even if not every time).


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tomas Mraz 2007-10-03 09:12:33 UTC 
I suppose that it is a problem in your application in how it calls OpenSSL. The
backtrace is not suspicious - if the crash is really on the access to
s->s3->wbuf.left it would have to mean that it is somehow silently corrupted
during the operation. Is your application multithreaded?

As I don't see any other reports of regularly crashing applications which try
SSL connects through OpenSSL I'd really need some simple reproducer to trace the
crash more.
Comment 2 Jiri Klimes 2007-10-04 07:33:00 UTC 
First off all thanks for a quick response.

I must confirm that, it's not a bug in openssl.
I was not quite correct in my first report as the crash appears not during
session establishment but renegotiation. Nevertheless your guess about
multithreaded application has been right.

I have debugged it a bit and have found that s->s3 was 'nulled' in one thread,
so that in the other it caused segmentation.
Note You need to log in before you can comment on or make changes to this bug.