On Tue, Dec 11, 2001 at 09:06:12AM -0600, VanWagner, Lyndon wrote:
> I know that this does not follow the normal bug reporting procedures, but I
> don't have the necessary forms/reports at my fingertips.
> I wanted to let you know, that I've had problems using OpenSSH (v3.0.1p1 and
> v3.0.2p1) with OpenSSL (v0.9.6b). Mainly, when
> I try generating DSA keys with ssh-keygen and running the ssh client, I get
> coredumps with Segmentation Violations and Bus Error
> signals. In both cases, the code died in OpenSSL code - the DSA and DH
> modules.
>
> I'm using gcc v3.0.2 and GNU make to build the stuff on older SPARC (sun4m)
> hardware, under Solaris 6 and 8. I took a look at the code and fixed it on
> my end by doing several things in
> mem.c, dsa_gen.c, dsa_lib.c, dh_gen.c, dh_key.c, dh_lib.c.
> 1) Initialized all automatic variables, including structures and arrays.
> 2) Added null pointer tests.
> 3) Increased automatic buffer allocations by 1.
We have seen problems on Solaris 8 caused by buggy initialization of
variables. I have checked in some workarounds for the 0.9.6c release,
which is to be released really, really, really soon now.
Anyway I may have missed an initialization (I hope not), so I would
be interested in receiving your patch via openssl-dev. Anyway I think,
that the changed you made under 1) should be sufficient. 2) should
not help much, as dereferencing NULL pointers identifies program errors in
the calling program and should be fixed within it. (I personally run
OpenSSH on a lot of hosts on both HP-UX and Linux and have not seen
corresponding bugs.) Errors falling under category 3 identify buffer
overruns. Dynamic memory must be allocated as required. If increasing the
size by an arbitrary number fixes a problem, there is a bug around that
must be fixed. Just increasing buffer allocations only hides the problem,
it does not solve it.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
