On Feb 22, 2010, at 11:57 AM, Timo Sirainen wrote:

> Well, that's coming from Kerberos library, which is called by OpenSSL for 
> some reason.. Are you using Kerberos? Anyway it looks to me more like OpenSSL 
> or Kerberos bug.


Below  is the stack trace with symbols. The bug appears to manifest only in 
64bit redhat/centos 5 only but happens against multiple versions of openssl 
that existed over 5's life. Unfortunately, RedHat decided to compile in 
kerberos so I can't control that. We played around but couldn't find a way to 
make it stop by manipulating ssl_cipher_list.

I have seen dovecot crash when the following packages are installed: 
openssl-0.9.8e-12.el5, openssl-0.9.8e-12.el5_4.1

I've reduced the test case to this:

31705 (SSL Cipher Suites Supported) - 
When run manually from command line, I had to replace 443 with 993 or 995 
inside the ssl_supported_ciphers.nasl script.
Then I can just run this to make it happen: nasl -t <target_host> 

While this is clearly an openssl bug, I cannot reproduce this on courier, but I 
did find a reference to a similar backtrace with stunnel: 

Can you think of any way I could disable kerberos for dovecot so this does not 
segfault? Is there any check we could put in the code to prevent the segfault?



Program received signal SIGSEGV, Segmentation fault.
0x0000003adf4610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
(gdb) bt full
#0  0x0000003adf4610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
No symbol table info available.
#1  0x0000003adf448ade in krb5_kt_get_entry () from /usr/lib64/libkrb5.so.3
No symbol table info available.
#2  0x0000003ae083876e in kssl_keytab_is_available () from /lib64/libssl.so.6
No symbol table info available.
#3  0x0000003ae081e385 in ssl3_choose_cipher () from /lib64/libssl.so.6
No symbol table info available.
#4  0x0000003ae0819b2b in ssl3_get_client_hello () from /lib64/libssl.so.6
No symbol table info available.
#5  0x0000003ae081a4a5 in ssl3_accept () from /lib64/libssl.so.6
No symbol table info available.
#6  0x0000003ae0822642 in ssl23_get_client_hello () from /lib64/libssl.so.6
No symbol table info available.
#7  0x0000003ae0822dd9 in ssl23_accept () from /lib64/libssl.so.6
No symbol table info available.
#8  0x000000000040a8b2 in ssl_handshake (proxy=0x1a793920) at 
        ret = 0
#9  0x000000000040ab50 in ssl_step (proxy=0x1a793920) at ssl-proxy-openssl.c:456
No locals.
#10 0x0000000000417927 in io_loop_handler_run (ioloop=0x1a789d70) at 
        ctx = (struct ioloop_handler_context *) 0x1a78bf00
        events = (struct epoll_event *) 0x1a78d670
        event = (const struct epoll_event *) 0x1a78d670
        list = (struct io_list *) 0x1a7907f0
        io = (struct io_file *) 0x1a795e50
        tv = {tv_sec = 179, tv_usec = 999415}
        events_count = 7
        t_id = 2
        msecs = 180000
        ret = 1
        i = 0
        j = 0
        call = true
#11 0x0000000000416b32 in io_loop_run (ioloop=0x1a789d70) at ioloop.c:336
No locals.
#12 0x0000000000408dbd in main (argc=1, argv=0x7fffeae55498, 
envp=0x7fffeae554a8) at main.c:482

Reply via email to