Hi,
You are right : there is a double free bug in the function
*ssl3_get_key_exchange* which leads to crash if an error occurs.
The bug is in line 1510 of s3_clnt.c where we forget to set the variable
bn_ctx to NULL after freeing it and this leads to the double free error
when BN_CTX_free is called a second time on line 1650.
I'm attaching a patch against the latest source that corrects this. I'll
also send to RT.
Thanks for the report.
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 8/8/2010 3:04 PM, Georgi Guninski wrote:
i was pointing out this:
~/local/bin/openssl s_client -connect localhost:8888
depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or
corruption (fasttop): 0x0000000000979300 ***
the glibc message means that the current heap operation is on invalid
pointer. the testcase crashed browser links on arch linux too (when
trying to connect to s_server -www).
btw, it seems *important* to use |s_server| from *1.0.0a*
On Sat, Aug 07, 2010 at 02:21:09PM +0300, Georgi Guninski wrote:
openssl-1.0.0a on ubuntu, debian and arch.
attached a private key and a cert.
~/local/bin/openssl s_server -www -accept 8888 -cert /tmp/CA.cert -key
/tmp/CA.key
~/local/bin/openssl s_client -connect localhost:8888
depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or corruption
(fasttop): 0x0000000000979300 ***
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
--- E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c.original Sun Feb 28
01:24:24 2010
+++ E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c Sun Aug 8 14:49:30 2010
@@ -1508,6 +1508,7 @@
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+ bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}