Hello,
I was asked to log this against rt@ so that it wouldn't be lost. I've
also included the full debug information requested in the README file.
The openssl command line tool treats the non-null terminated buffer
"mbuf" as a C string when using the pop3 s_client feature. This causes
a segmentation fault with malloc.conf option "J" set when BIO_printf()
runs off the end of the buffer. The following patch from OpenBSD fixes
the issue.
Matthew
$ sudo ln -s J /etc/malloc.conf
$ openssl s_client -starttls pop3 -connect mail.teksavvy.com:pop3
CONNECTED(00000005)
depth=0 ST = Ontario, L = Chatham, O = "TekSavvy Solutions, Inc", CN = Teksavvy
verify error:num=18:self signed certificate
verify return:1
depth=0 ST = Ontario, L = Chatham, O = "TekSavvy Solutions, Inc", CN = Teksavvy
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 ST = Ontario, L = Chatham, O = "TekSavvy Solutions, Inc", CN = Teksavvy
verify error:num=10:certificate has expired
notAfter=Feb 1 18:27:40 2006 GMT
verify return:1
depth=0 ST = Ontario, L = Chatham, O = "TekSavvy Solutions, Inc", CN = Teksavvy
notAfter=Feb 1 18:27:40 2006 GMT
verify return:1
---
Certificate chain
0 s:/ST=Ontario/L=Chatham/O=TekSavvy Solutions, Inc/CN=Teksavvy
i:/ST=Ontario/L=Chatham/O=TekSavvy Solutions, Inc/CN=Teksavvy
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICKTCCAZKgAwIBAwIEq1Nj6jANBgkqhkiG9w0BAQQFADBZMRAwDgYDVQQIEwdP
bnRhcmlvMRAwDgYDVQQHEwdDaGF0aGFtMSAwHgYDVQQKExdUZWtTYXZ2eSBTb2x1
dGlvbnMsIEluYzERMA8GA1UEAxMIVGVrc2F2dnkwHhcNMDUwMjAxMTgyNzQwWhcN
MDYwMjAxMTgyNzQwWjBZMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdDaGF0
aGFtMSAwHgYDVQQKExdUZWtTYXZ2eSBTb2x1dGlvbnMsIEluYzERMA8GA1UEAxMI
VGVrc2F2dnkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALsUYy0vrPOP8IX3
fWL6TAk3fO7oCIpu/NU8CZ0WBdmeiWrSzQRwpld+lmcWMbGq21dx1LlvIBSxIhbe
KDFiHfC2MhqIoqJb2qqs6VdYAC3x6S5ccUFdFpzL0RglAghqdxpjK2aOyo5aMJXr
Y79yzk15JDYJE7/2cLEKByihTFkLAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAiQAq
8RK8iKNRYFvLR0AdboQyY/fE/mx2P8LpVpxjGLl+KufrGjB6pSO1dwNa3vWajbm8
z1Ld2b4IxxJFbLRYXQiM0qzSNfHMWVJPYz9svRotU4pvrAetGCK7U4RaD2//zy0O
BqPzLXo9TSdvyeu8loFE/5xL2W4QYyrn42O1uFY=
-----END CERTIFICATE-----
subject=/ST=Ontario/L=Chatham/O=TekSavvy Solutions, Inc/CN=Teksavvy
issuer=/ST=Ontario/L=Chatham/O=TekSavvy Solutions, Inc/CN=Teksavvy
---
No client certificate CA names sent
---
SSL handshake has read 824 bytes and written 350 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
4A9D7601F01978AD202E21E564669853CDD7E18ED60975A6E6E05B3B5095D356FC1679BFBF5C68E7787A11FDFE9B0169
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1271924351
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
Segmentation fault (core dumped)
$ gdb openssl --core openssl.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd4.5"...
Core was generated by `openssl'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libpthread.so.11.1...done.
Loaded symbols for /usr/lib/libpthread.so.11.1
Symbols already loaded for /usr/lib/libpthread.so.11.1
Reading symbols from /usr/lib/libc.so.50.1...done.
Loaded symbols for /usr/lib/libc.so.50.1
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0 0x1c09fcd1 in fmtstr (sbuffer=0xcfbe410c, buffer=0xcfbe4110,
currlen=0xcfbe40c4, maxlen=0xcfbe4114,
value=0x814f5000 "+OK mail.pppoe.ca Internet Mail Server v1.0 POP3 Thu, 22
Apr 2010 04:19:10 -0400 <[email protected]>\r\n", 'Ð' <repeats 87
times>..., flags=0, min=-809615164, max=2147483647) at b_print.c:448
448 for (strln = 0; value[strln]; ++strln)
(gdb) bt full
#0 0x1c09fcd1 in fmtstr (sbuffer=0xcfbe410c, buffer=0xcfbe4110,
currlen=0xcfbe40c4, maxlen=0xcfbe4114,
value=0x814f5000 "+OK mail.pppoe.ca Internet Mail Server v1.0 POP3 Thu, 22
Apr 2010 04:19:10 -0400 <[email protected]>\r\n", 'Ð' <repeats 87
times>..., flags=0, min=-809615164, max=2147483647) at b_print.c:448
padlen = -809612936
strln = 8192
cnt = 0
#1 0x1c0a0b5f in _dopr (sbuffer=0xcfbe410c, buffer=0xcfbe4110,
maxlen=0xcfbe4114, retlen=0xcfbe40c4, truncated=0x2000,
format=0x3c04834d "", args=0xcfbe497c " ") at b_print.c:375
ch = 43 '+'
value = 2019561052756132072
fvalue = 1.7385111512339592e-310
strvalue = 0xcfbe40c4 ""
min = 0
max = 2147483647
state = -809612936
flags = 0
cflags = 0
currlen = 0
#2 0x1c0a0626 in BIO_vprintf (bio=0x8418b3c0, format=0x3c04834b "%s",
args=0xcfbe4118
"è\002\0359Vt\223³ÄÖéý\022(?Wp\212¥ÁÞü\033;L^q\205\232°Çßø\022-If\204£ÃÔæù\r\"8Og\200\232µÑî\f+K\\n\201\225ªÀ×ï\b\"=Yv\224³Óäö\t\0352H_w\220---Type
<return> to continue, or q <return> to quit---
ªÅáþ\034;[l~\221¥ºÐçÿ\0302Mi\206¤Ããô\006\031-BXo\207 ºÕñ\016,Kk|\216¡µÊà÷\017èB¾ÏE\233h\016")
at b_print.c:795
ret = -809615080
retlen = 958202600
hugebuf =
"ÄÖéý\022(?Wp\212¥ÁÞü\033;L^q\205\232°Çßø\022-If\204£ÃÔæù\r\"8Og\200\232µÑî\f+K\\n\201\225ªÀ×ï\b\"=Yv\224³Óäö\t\0352H_w\220ªÅáþ\034;[l~\221¥ºÐçÿ\0302Mi\206¤Ããô\006\031-BXo\207 ºÕñ\016,Kk|\216¡µÊà÷\017èB¾ÏE\233h\016\0004°\210d´g.èB¾Ï'\233h\016\214\236±ÅÚð\a\037ÀA¾Ï\000Ä~\205\024&9Mbx\217§ÀÚõ\021.Lk\213\234®ÁÕê\000\027/(C¾ÏE\233h\016\0004°\210d´g."...
hugebufp = 0xcfbe4120
"ÄÖéý\022(?Wp\212¥ÁÞü\033;L^q\205\232°Çßø\022-If\204£ÃÔæù\r\"8Og\200\232µÑî\f+K\\n\201\225ªÀ×ï\b\"=Yv\224³Óäö\t\0352H_w\220ªÅáþ\034;[l~\221¥ºÐçÿ\0302Mi\206¤Ããô\006\031-BXo\207 ºÕñ\016,Kk|\216¡µÊà÷\017èB¾ÏE\233h\016"
hugebufsize = 2048
dynbuf = 0x0
ignored = -1282182058
#3 0x1c0a05a5 in BIO_printf (bio=0x8418b3c0, format=0x3c04834b "%s")
at b_print.c:775
ret = -809615164
#4 0x1c021fe3 in s_client_main (argc=0, argv=0xcfbe5168) at s_client.c:1259
j = 1
lf_num = 1
off = 0
clr = 0
---Type <return> to continue, or q <return> to quit---
con = (SSL *) 0x8b4e2200
s = 5
k = 32
width = 6
state = 0
cbuf = 0x84285000 ""
sbuf = 0x8a4be000 "+OK Ready to start TLS\r\n", 'Ð' <repeats 176
times>...
mbuf = 0x814f5000 "+OK mail.pppoe.ca Internet Mail Server v1.0 POP3
Thu, 22 Apr 2010 04:19:10 -0400 <[email protected]>\r\n", 'Ð'
<repeats 87 times>...
cbuf_len = 0
cbuf_off = 0
sbuf_len = 0
sbuf_off = 0
readfds = {fds_bits = {0 <repeats 32 times>}}
writefds = {fds_bits = {0 <repeats 32 times>}}
port = 110
full_log = 0
host = 0xcfbe52eb "mail.teksavvy.com"
cert_file = 0x0
key_file = 0x0
cert_format = 3
key_format = 3
---Type <return> to continue, or q <return> to quit---
passarg = 0x0
pass = 0x0
cert = (X509 *) 0x0
key = (EVP_PKEY *) 0x0
CApath = 0x0
CAfile = 0x0
cipher = 0x0
reconnect = 0
badop = -809615164
verify = 0
bugs = 0
crlf = 0
write_tty = 0
read_tty = 1
write_ssl = 0
read_ssl = 1
tty_on = 1
ssl_pending = 1
ctx = (SSL_CTX *) 0x8b4e2e00
ret = 1
in_init = 0
i = -809615061
nbio_test = 0
starttls_proto = 2
---Type <return> to continue, or q <return> to quit---
prexit = 0
vpm = (X509_VERIFY_PARAM *) 0x0
badarg = 0
meth = (const SSL_METHOD *) 0x3c0180e0
socket_type = 1
sbio = (BIO *) 0x1
inrand = 0x0
mbuf_len = 32
timeout = {tv_sec = -2137915392, tv_usec = 688209396}
timeoutp = (struct timeval *) 0x0
engine_id = 0x0
ssl_client_engine_id = 0x0
ssl_client_engine = (ENGINE *) 0x0
e = (ENGINE *) 0x20
servername = 0x0
tlsextcbp = {biodebug = 0x0, ack = 0}
sess_in = 0x0
sess_out = 0x0
peer = {sa_len = 160 ' ', sa_family = 34 '"',
sa_data = "\006<\b*\000\034à´B\t\2007°\210"}
peerlen = 16
enable_timeouts = 0
socket_mtu = 0
#5 0x1c0022b5 in do_cmd (prog=0x88b03780, argc=5, argv=0xcfbe5154)
---Type <return> to continue, or q <return> to quit---
at openssl.c:413
f = {type = -809612156, name = 0xcfbe52ca "s_client",
func = 0xcfbe4c48}
fp = (FUNCTION *) 0x3c0561b8
i = -809612256
ret = 1
tp = 315646420
nl = 8192
#6 0x1c002127 in main (Argc=5, Argv=0xcfbe5154) at openssl.c:312
arg = {data = 0x0, count = 0}
pname =
"openssl\000U\220\f\t\000p\206\204\000\020\000\000\001\000\000\000\030p\206\204;ZÚ\005\000\000\000\000\000\020\000"
f = {type = -809612076, name = 0xcfbe5094 "openssl", func = 0x8011e634}
fp = (FUNCTION *) 0xcfbe40c4
prompt = 0x2000 <Address 0x2000 out of bounds>
buf =
"ô¶Ü\0060\000\000\000\024M¾ÏÀL¾ÏÄL¾Ï\000\000\000\000ÿÿÿÿ\000\000\000\000\001\000\000\000äâ\021\200ô¶Ü\006Ðq\004\täâ\021\200\214aÚ%äâ\021\200
\020\a)$M¾ÏV\214Ú\005\000\000\000\000\214aÚ%$M¾ÏÄ\214Ú_\003", '\0' <repeats 11
times>,
"à»g\016\022â\021\200\026Î\a\tÍÚ\f\t\035¨g\016(\034\001\000(\000\000\000¨¥g\016è\213g\016\004æ\021\200¼á\021\200tM¾ÏÁuÚ\005Ää\021\200Ó»g\016«£î\t0\000\000\000´M¾Ï`M¾ÏdM¾Ï\000\000\000\000ÄM¾Ï\000\000\000\000\001\000\000\000Ää\021\200«"...
to_free = 0x8c046380 "/usr/local/ssl/openssl.cnf"
n = -809611116
i = -809615164
---Type <return> to continue, or q <return> to quit---
ret = 635068812
argc = 0
argv = (char **) 0x5da4f98
p = 0xcfbe4c84 "ÔL¾Ï\224P¾Ï4æ\021\200²å\004\tô¶Ü\0060"
prog = (struct lhash_st_FUNCTION *) 0x88b03780
errline = 98190808
(gdb) quit
$ make report
$ cat testlog
OpenSSL self-test report:
OpenSSL version: 1.1.0-dev
Last change: New function OPENSSL_gmtime_diff to find the difference...
Options: 386 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779
no-shared no-sse2 no-store no-zlib no-zlib-dynamic static-engine
OS (uname): OpenBSD x31.local 4.5 GENERIC#1749 i386
OS (config): i386-whatever-openbsd
Target (default): BSD-x86-elf
Target: debug-BSD-x86-elf
Compiler: Configured with:
Thread model: single
gcc version 3.3.5 (propolice)
Test passed.
$ openssl version -a
OpenSSL 1.1.0-dev xx XXX xxxx
built on: Thu Apr 22 17:39:19 CST 2010
platform: debug-BSD-x86-elf
options: bn(64,32) rc4(4x,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -Wall -g
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/usr/local/ssl"
$ gcc --version
gcc (GCC) 3.3.5 (propolice)
Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ sysctl kern.version
kern.version=OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
Original OpenBSD PR including reproduction instructions and stack trace:
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=6282
Index: s_client.c
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/s_client.c,v
retrieving revision 1.130
diff -u -r1.130 s_client.c
--- s_client.c 16 Dec 2009 20:25:58 -0000 1.130
+++ s_client.c 21 Apr 2010 01:12:59 -0000
@@ -1136,7 +1136,11 @@
}
else if (starttls_proto == PROTO_POP3)
{
- BIO_read(sbio,mbuf,BUFSIZZ);
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (mbuf_len < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto end;
+ }
BIO_printf(sbio,"STLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
@@ -1252,7 +1256,7 @@
if (starttls_proto)
{
- BIO_printf(bio_err,"%s",mbuf);
+ BIO_write(bio_err, mbuf, mbuf_len);
/* We don't need to know any more */
starttls_proto = PROTO_OFF;
}
Index: s_client.c
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/s_client.c,v
retrieving revision 1.130
diff -u -r1.130 s_client.c
--- s_client.c 16 Dec 2009 20:25:58 -0000 1.130
+++ s_client.c 21 Apr 2010 01:12:59 -0000
@@ -1136,7 +1136,11 @@
}
else if (starttls_proto == PROTO_POP3)
{
- BIO_read(sbio,mbuf,BUFSIZZ);
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (mbuf_len < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto end;
+ }
BIO_printf(sbio,"STLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
@@ -1252,7 +1256,7 @@
if (starttls_proto)
{
- BIO_printf(bio_err,"%s",mbuf);
+ BIO_write(bio_err, mbuf, mbuf_len);
/* We don't need to know any more */
starttls_proto = PROTO_OFF;
}
