Segmentation fault in s2_clnt.c

Tue, 12 Sep 2000 01:18:42 -0700 

Hello,

I got a segmentation fault in s2_clnt.c. This error is reproducable
using openssl-SNAP-20000910, but seems to be sleeping in the code at
least since 0.9.3 (the oldest version I have currently the source
available).

I'm using Linux 2.2.13 i586, but the error should be
system-independent.


In my application, I want to be able to connect to many different
SSL servers using different SSL properties (version, cipher
suite...). So I use one SSL_CTX that supports both SSL versions.
Before I do a SSL_connect to a server, I create a new SSL with the
SSL properties I want to use for that server, in this case
especially the SSL version.

So I did following:
  ssl_ctx = SSL_CTX_new (SSLv23_client_method());
  bio = BIO_new_ssl (ssl_ctx, 1);
  ssl = BIO_get_ssl (bio);
  SSL_set_ssl_method (ssl, SSLv2_client_method ());

Then, when doing a SSL_connect(ssl), I got a segmentation fault.


Using gdb, I tried to find out what went wrong:

When doing SSL_connect(ssl):
    in ssl2_connect():
        [...]
        /* init things to blank */
        if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);

    so, SSL_clear(ssl) will be called.

    in SSL_clear() you can find the following code:

#if 1
        /* Check to see if we were changed into a different method, if
         * so, revert back if we are not doing session-id reuse. */
        if ((s->session == NULL) && (s->method != s->ctx->method))
                {
                s->method->ssl_free(s);
                s->method=s->ctx->method;
                if (!s->method->ssl_new(s))
                        return(0);
                }
        else
#endif

Of course, s->method and s->ctx->method are different (first SSLv2,
second SSLv23), so
                s->method->ssl_free(s);
                s->method=s->ctx->method;
will be executed. But what's that: s->method will now become
SSLv23_slient_method() and its ssl_new() function will be called. So
after this SSL_clear() call, we have
   ssl->s2 == NULL
and
   ssl->s3 freshly initialized

but we are inside the ssl2 functions.

Afterwards, wenn s2_clnt.c:client_hello() will be called, it gets a
segmentation fault when accessing s->s2->challenge_length.

As a quick work-around, I changed the #if 1 to #if 0.

Please, can you explain the purpose of the #if 1/#endif code
fragment? I think there must be a reason for it being there, but
maybe it should not modify the method but generate an error message
instead to prevent this segmentation fault.


Niko




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to