Hello,
When using AES_cbc_encrypt, if an IV passed to the function has an
incorrect length, a segmentation fault will occur. Attached is the
testlog and a dump file. The IV pointer is the memory location passed to
the encryption function, this is where the fault occurs. Obviously,
implementations can easily perform error checking before passing the IV
to the encryption function, but a segmentation fault is a bit extreme if
an implementation does not perform error checking, and ultimately
killing whatever application that they have running.
In my implementation, I am using Python and a wrapper to the OpenSSL
library. You can see this in the backtrace. If you need more information
please feel free to contact me.
Thank you,
John Reed
OpenSSL self-test report:
OpenSSL version: 0.9.8i
Last change: Fix a state transitition in s3_srvr.c and d1_srvr.c...
Options: no-camellia no-capieng no-cms no-gmp no-krb5 no-mdc2
no-montasm no-rc5 no-rfc3779 no-seed no-shared no-tlsext no-zlib no-zlib-dynamic
OS (uname): Linux ikev2testbed559439.sd.spawar.navy.mil
2.6.21.RSCH.FarSync.1 #1 SMP Sun Sep 16 13:43:09 PDT 2007 i686 i686 i386
GNU/Linux
OS (config): i686-whatever-linux2
Target (default): linux-elf
Target: dist
Compiler: Using built-in specs.
Target: i386-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --enable-plugin
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre
--enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --with-cpu=generic
--host=i386-redhat-linux
Thread model: posix
gcc version 4.1.2 20070925 (Red Hat 4.1.2-27)
Test passed.
IV : 0
SV : 0
above set_encrypt
above cbc_encrypt
Above buildvalue
Above freeIV
IV memory: 14
IV pointer: 0x83ecf78
SV memory: 0
SV pointer: 0xb7eea8f4
*** glibc detected *** python: free(): invalid next size (fast): 0x083ecf78 ***
======= Backtrace: =========
/lib/libc.so.6[0xb5bdf1]
/lib/libc.so.6(cfree+0x90)[0xb5f430]
/home/reedjohn/rsch/IKEv2_Emulator/hcryptolib/hcrypto__UNCLASSIFIED.so[0x116453]
/usr/lib/libpython2.5.so.1.0(PyCFunction_Call+0x14d)[0x210618d]
/usr/lib/libpython2.5.so.1.0(PyEval_EvalFrameEx+0x6714)[0x2153074]
/usr/lib/libpython2.5.so.1.0(PyEval_EvalFrameEx+0x63cf)[0x2152d2f]
/usr/lib/libpython2.5.so.1.0(PyEval_EvalFrameEx+0x63cf)[0x2152d2f]
/usr/lib/libpython2.5.so.1.0(PyEval_EvalCodeEx+0x7ef)[0x2153b7f]
/usr/lib/libpython2.5.so.1.0(PyEval_EvalCode+0x63)[0x2153c03]
/usr/lib/libpython2.5.so.1.0[0x216d616]
/usr/lib/libpython2.5.so.1.0(PyRun_FileExFlags+0x8e)[0x216d6ce]
/usr/lib/libpython2.5.so.1.0(PyRun_SimpleFileExFlags+0x198)[0x216ed88]
/usr/lib/libpython2.5.so.1.0(PyRun_AnyFileExFlags+0x7a)[0x216f4ea]
/usr/lib/libpython2.5.so.1.0(Py_Main+0xa0d)[0x2178f7d]
python(main+0x32)[0x80485b2]
/lib/libc.so.6(__libc_start_main+0xe0)[0xb09f70]
python[0x80484c1]
======= Memory map: ========
00110000-00114000 r-xp 00000000 fd:00 13441310
/usr/lib/python2.5/lib-dynload/binascii.so
00114000-00115000 rwxp 00003000 fd:00 13441310
/usr/lib/python2.5/lib-dynload/binascii.so
00115000-00119000 r-xp 00000000 fd:00 8587460
/home/reedjohn/rsch/IKEv2_Emulator/hcryptolib/hcrypto__UNCLASSIFIED.so
00119000-0011a000 rwxp 00003000 fd:00 8587460
/home/reedjohn/rsch/IKEv2_Emulator/hcryptolib/hcrypto__UNCLASSIFIED.so
00123000-0013e000 r-xp 00000000 fd:00 13402167 /lib/ld-2.6.so
0013e000-0013f000 r-xp 0001a000 fd:00 13402167 /lib/ld-2.6.so
0013f000-00140000 rwxp 0001b000 fd:00 13402167 /lib/ld-2.6.so
00252000-0036f000 r-xp 00000000 fd:00 13402441 /lib/libcrypto.so.0.9.8b
0036f000-00381000 rwxp 0011d000 fd:00 13402441 /lib/libcrypto.so.0.9.8b
00381000-00385000 rwxp 00381000 00:00 0
004e4000-004e6000 r-xp 00000000 fd:00 13402474 /lib/libutil-2.6.so
004e6000-004e7000 r-xp 00001000 fd:00 13402474 /lib/libutil-2.6.so
004e7000-004e8000 rwxp 00002000 fd:00 13402474 /lib/libutil-2.6.so
005a3000-005d6000 r-xp 00000000 fd:00 12949937 /usr/lib/sse2/libgmp.so.3.3.3
005d6000-005d7000 rwxp 00032000 fd:00 12949937 /usr/lib/sse2/libgmp.so.3.3.3
00af4000-00c42000 r-xp 00000000 fd:00 13402179 /lib/libc-2.6.so
00c42000-00c44000 r-xp 0014e000 fd:00 13402179 /lib/libc-2.6.so
00c44000-00c45000 rwxp 00150000 fd:00 13402179 /lib/libc-2.6.so
00c45000-00c48000 rwxp 00c45000 00:00 0
00c4a000-00c71000 r-xp 00000000 fd:00 13402367 /lib/libm-2.6.so
00c71000-00c72000 r-xp 00026000 fd:00 13402367 /lib/libm-2.6.so
00c72000-00c73000 rwxp 00027000 fd:00 13402367 /lib/libm-2.6.so
00c75000-00c78000 r-xp 00000000 fd:00 13402324 /lib/libdl-2.6.so
00c78000-00c79000 r-xp 00002000 fd:00 13402324 /lib/libdl-2.6.so
00c79000-00c7a000 rwxp 00003000 fd:00 13402324 /lib/libdl-2.6.so
00c7c000-00c90000 r-xp 00000000 fd:00 13402410 /lib/libpthread-2.6.so
00c90000-00c91000 r-xp 00013000 fd:00 13402410 /lib/libpthread-2.6.so
00c91000-00c92000 rwxp 00014000 fd:00 13402410 /lib/libpthread-2.6.so
00c92000-00c94000 rwxp 00c92000 00:00 0
00c96000-00ca8000 r-xp 00000000 fd:00 13402364 /lib/libz.so.1.2.3
00ca8000-00ca9000 rwxp 00011000 fd:00 13402364 /lib/libz.so.1.2.3
00f44000-00f45000 r-xp 00f44000 00:00 0 [vdso]
020b1000-021c9000 r-xp 00000000 fd:00 12948814 /usr/lib/libpython2.5.so.1.0
021c9000-021ef000 rwxp 00117000 fd:00 12948814 /usr/lib/libpython2.5.so.1.0
021ef000-021f5000 rwxp 021ef000 00:00 0
07ebc000-07ec7000 r-xp 00000000 fd:00 13402228
/lib/libgcc_s-4.1.2-20070925.so.1
07ec7000-07ec8000 rwxp 0000a000 fd:00 13402228
/lib/libgcc_s-4.1.2-20070925.so.1
08048000-08049000 r-xp 00000000 fd:00 12955172 /usr/bin/python
08049000-0804a000 rw-p 00000000 fd:00 12955172 /usr/bin/python
083e5000-08448000 rw-p 083e5000 00:00 0
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7cd0000-b7cd1000 rw-p b7cd0000 00:00 0
b7cd1000-b7ed1000 r--p 00000000 fd:00 12946998 /usr/lib/locale/locale-archive
b7ed1000-b7f56000 rw-p b7ed1000 00:00 0
bf858000-bf86d000 rw-p bf858000 00:00 0 [stack]
Aborted
