Hello, The openssl command line tool treats the non-null terminated buffer "mbuf" as a C string when using the pop3 s_client feature. This causes a segmentation fault with malloc.conf option "J" set when BIO_printf() runs off the end of the buffer. The following patch from OpenBSD fixes the issue.
Original OpenBSD PR including reproduction instructions and stack trace: http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=6282 Matthew Index: s_client.c =================================================================== RCS file: /v/openssl/cvs/openssl/apps/s_client.c,v retrieving revision 1.130 diff -u -r1.130 s_client.c --- s_client.c 16 Dec 2009 20:25:58 -0000 1.130 +++ s_client.c 21 Apr 2010 01:12:59 -0000 @@ -1136,7 +1136,11 @@ } else if (starttls_proto == PROTO_POP3) { - BIO_read(sbio,mbuf,BUFSIZZ); + mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); + if (mbuf_len < 0) { + BIO_printf(bio_err, "BIO_read failed\n"); + goto end; + } BIO_printf(sbio,"STLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } @@ -1252,7 +1256,7 @@ if (starttls_proto) { - BIO_printf(bio_err,"%s",mbuf); + BIO_write(bio_err, mbuf, mbuf_len); /* We don't need to know any more */ starttls_proto = PROTO_OFF; } ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
