We have implemented upload speed limiter into our application. But when we want to limit speed of TLS encrypted transfer, the application crashes. I guess it can be because we are sending very small length to SSL_write function. When length parameter is 32768, everything is correct, but when we set it to something very low (for example 900), there's big probability that it crashes. I think the trigger is a runtime change from high value to very low value, because when the low value is set from the beginning everything is correct. Crash callstack follows:
> StrongDC.exe!memcpy(unsigned char * dst=0x02610618, unsigned
char * src=0x02730048, unsigned long count=16384) Line 188 Asm
StrongDC.exe!do_ssl3_write(ssl_st * s=0x02667e78, int
type=23, const unsigned char * buf=0x02730048, unsigned int len=16384, int
create_empty_fragment=0) Line 745 + 0x1a bytes C
StrongDC.exe!ssl3_write_bytes(ssl_st * s=0x02667e78, int
type=23, const void * buf_=0x02718048, int len=4) Line 587 + 0x1a bytes
C
StrongDC.exe!ssl3_write(ssl_st * s=0x02667e78, const void *
buf=0x02718048, int len=4) Line 3250 + 0x19 bytes C
StrongDC.exe!SSL_write(ssl_st * s=0x02667e78, const void *
buf=0x02718048, int num=4) Line 985 + 0x17 bytes C
StrongDC.exe!dcpp::SSLSocket::write(const void *
aBuffer=0x02718048, int aLen=4) Line 138 + 0x19 bytes C++
The address 0x02718048 is a buffer we want to send, length is set to 4. Real
size of the buffer is 32768 (but we need to send less). If I debug the
application, it seems that something in "ssl3_write_bytes" causes that it
will point beyond our buffer. Address sent to "do_ssl3_write" (0x02730048)
is higher than 0x02718048 + 32768. The reason of the crash can be that
variable "tot" in "ssl3_write_bytes" is 16384, then "n=(len-tot)" will give
negative number for "len" < 16384 (our case).
Tested in OpenSSL 0.9.8k, 1.0 beta2, 1.0 source snapshot from 7.7.2009.
Everything works correctly for non-TLS transfers.
Thank you for the looking. If you want more information, I will try to
provide them.
Tomas
|
We have implemented upload speed limiter
into our application. But when we want to limit speed of TLS encrypted
transfer, the application crashes. I guess it can be because we are sending
very small length to SSL_write function. When length parameter is 32768,
everything is correct, but when we set it to something very low (for example
900), there’s big probability that it crashes. I think the trigger is a
runtime change from high value to very low value, because when the low value is
set from the beginning everything is correct. Crash callstack follows: > StrongDC.exe!memcpy(unsigned
char * dst=0x02610618, unsigned char * src="" unsigned long
count=16384) Line 188 Asm StrongDC.exe!do_ssl3_write(ssl_st
* s=0x02667e78, int type=23, const unsigned char * buf=0x02730048, unsigned int
len=16384, int create_empty_fragment=0) Line 745 + 0x1a bytes C StrongDC.exe!ssl3_write_bytes(ssl_st
* s=0x02667e78, int type=23, const void * buf_=0x02718048, int len=4) Line 587
+ 0x1a bytes C StrongDC.exe!ssl3_write(ssl_st
* s=0x02667e78, const void * buf=0x02718048, int len=4) Line 3250 + 0x19 bytes C StrongDC.exe!SSL_write(ssl_st
* s=0x02667e78, const void * buf=0x02718048, int num=4) Line 985 + 0x17 bytes C StrongDC.exe!dcpp::SSLSocket::write(const
void * aBuffer=0x02718048, int aLen=4) Line 138 + 0x19 bytes C++ The address 0x02718048 is a buffer we want
to send, length is set to 4. Real size of the buffer is 32768 (but we need to
send less). If I debug the application, it seems that something in “ssl3_write_bytes“
causes that it will point beyond our buffer. Address sent to “do_ssl3_write”
(0x02730048) is higher than 0x02718048 + 32768. The reason of the crash can be
that variable “tot” in “ssl3_write_bytes” is 16384,
then “n=(len-tot)“ will give negative number for „len“
< 16384 (our case). Tested in OpenSSL 0.9.8k, 1.0 beta2, 1.0 source snapshot
from 7.7.2009. Everything works correctly for non-TLS transfers. Thank you for the looking. If you want more information, I
will try to provide them. Tomas |
