[openssl.org #3248] Bug - OpenSSL 0.9.8 crashes randomly at the call to BIO_test_flags()

Wed, 29 Jan 2014 22:28:42 -0800 

To OpenSSL Support:

We would like to report an OpenSSL crash that occurs randomly at the call to 
BIO_test_flags() in the file crypto/bio/bio_lib.c.  It happens with various 
versions of OpenSSL-0.9.8 (r, x, ...) and the problem seems to be 
BIO_test_flags() was dereferencing the input pointer 'BIO *b' without first 
null-checking it, resulting in a crash when b happens to be null.

In our application we use DTLS encryption developed by RTI, and it's RTI 
runtime library libnddstransporttls.so that invokes a chain of OpenSSL 
functions which ends up with BIO_test_flags() as in the call stack below.  We 
checked with RTI and they confirmed that 'BIO *b' was something internal to 
OpenSSL and not something that they passed in.

Can you please look the issue and see if this is a legitimate bug?

Thanks,
My Pham


#6  0x01178746 in signalHandler(int, siginfo*, void*) () from 
/usr/java/jdk1.7.0_21/jre/lib/i386/client/libjvm.so

#7  <signal handler called>

#8  0x01ad0ad9 in BIO_test_flags (b=0x0, flags=15) at bio_lib.c:151

#9  0x01ad16bc in BIO_copy_next_retry (b=0xb41db140) at bio_lib.c:569

#10 0x01ad509a in buffer_ctrl (b=0xb41db140, cmd=11, num=0, ptr=0x0) at 
bf_buff.c:410

#11 0x01ad1182 in BIO_ctrl (b=0xb41db140, cmd=11, larg=0, parg=0x0) at 
bio_lib.c:370

#12 0x00b16c13 in dtls1_retransmit_message (s=0x6585eff0, seq=0, frag_off=0, 
found=0xb34fdca0) at d1_both.c:1306

#13 0x00b16683 in dtls1_retransmit_buffered_messages (s=0x6585eff0) at 
d1_both.c:1142

#14 0x00b11e8a in dtls1_handle_timeout (s=0x6585eff0) at d1_lib.c:384

#15 0x00b12c65 in dtls1_read_bytes (s=0x6585eff0, type=22, buf=0xb34fde0c 
"\rGp", len=12, peek=0) at d1_pkt.c:735

#16 0x00b15c36 in dtls1_get_message_fragment (s=0x6585eff0, st1=4384, stn=4385, 
max=20000, ok=0xb34fdee4)

    at d1_both.c:801

#17 0x00b14fcf in dtls1_get_message (s=0x6585eff0, st1=4384, stn=4385, mt=-1, 
max=20000, ok=0xb34fdee4)

    at d1_both.c:438

#18 0x00afd1d1 in ssl3_get_server_hello (s=0x6585eff0) at s3_clnt.c:700

#19 0x00b0fcb4 in dtls1_connect (s=0x6585eff0) at d1_clnt.c:256

#20 0x00b1b31d in SSL_do_handshake (s=0x6585eff0) at ssl_lib.c:2194

#21 0x00704f5c in NDDS_Transport_DTLS_Connection_try_connect ()

   from /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddstransporttls.so


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to