Hello,
Not sure if it's right place for posting bug reports, but I didn't
find a better place.
I rendered into a problem when server makes a lot of writes to client
in non-blocking mode - this often resulted in shutdown of the session
with
SSL3_WRITE_PENDING:bad write error. The bug I discovered is hidden here:
s_server.c,1837
for (;;)
{
/* should do a select for the write */
#ifdef RENEG
{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
#endif
k=SSL_write(con,&(buf[l]),(unsigned int)i);
switch (SSL_get_error(con,k))
{
case SSL_ERROR_NONE:
break;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_X509_LOOKUP:
/*BUG*/ BIO_printf(bio_s_out,"Write BLOCK\n");
break;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
BIO_printf(bio_s_out,"ERROR\n");
ERR_print_errors(bio_err);
ret=1;
goto err;
/* break; */
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_s_out,"DONE\n");
ret=1;
goto err;
}
l+=k;
i-=k;
if (i <= 0) break;
}
When SSL_write returns SSL_ERROR_WANT_WRITE the control jumps out of
switch loop and modifies variables l (bytes sent) and i (bytes left).
BUT - k is _negative_ (as it stores the value of error), so l is
decreased and i is increased. On the next iteration SSL_write is
called with a different buffer pointer (at that l commonly becomes <0,
so buf[l] is out of buf bounds), and that is detected inside
ssl3_write_pending, which now results in SSL_ERROR_SSL error.
Adding k=0 into "case SSL_ERROR_WANT_WRITE:" handler, or replacing
it's "break" with "continue" completely fixes the problem.
Regards,
Maxim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
