Re: Issue with dtls1_clear changes from issue #2506

Thu, 15 Sep 2011 09:58:48 -0700 

The code which reproduces the crash (not necessarily minimal):

SSL_CTX * dtls_context = SSL_CTX_new(DTLSv1_method());
SSL_CTX_set_read_ahead(dtls_context, 1);
SSL_CTX_set_cipher_list(dtls_context, "DEFAULT:!LOW:!EXP:!MD5");
SSL_CTX_set_options(dtls_context, SSL_OP_NO_TICKET);
SSL * client_ssl = SSL_new(dtls_context);
SSL_set_options(client_ssl_context, SSL_OP_NO_QUERY_MTU);
BIO * client_ip_bio = BIO_new(BIO_s_mem());
BIO * client_op_bio = BIO_new(BIO_s_mem());
BIO_set_callback(client_op_bio, bio_callback);
BIO_set_callback_arg(client_op_bio, NULL);
SSL_set_bio(client_ssl, client_ip_bio, client_op_bio);
SSL_set_verify(client_ssl, SSL_VERIFY_PEER, dtls_verify_callback);
SSL_set_connect_state(client_ssl);
SSL_set_mtu (client_ssl, 1400);
SSL_do_handshake(client_ssl);

--

Paul

On 12/09/11 14:45, Robin Seggelmann wrote:

Hi Paul,

On Sep 9, 2011, at 4:56 PM, Paul Witty wrote:


Since updating to OpenSSL 1.0.0e from 1.0.0d, I've been suffering a crash when 
connecting with DTLS.  I've tracked this down to trying to perform a memcpy of 
(unsigned int)-13 in do_dtls1_write (where a length of -13 is passed all the 
way down from dtls1_do_Write, which seems to be because the MTU on the DTLS 
context is 0, despite having manually set it to a non-zero value.  Further 
investigation shows that the change to dtls1_clear is clearing everything in 
the DTLS1_STATE, which includes my previously configured MTU.  Preserving the 
value of the MTU across the memset in dtls1_clear fixes the issue.

I just looked into this and I guess you're right. Currently, DTLS1_STATE is 
always cleared and thus the MTU set to 0 before starting the initial handshake. 
By default, the MTU will be retrieved from the socket of the BIO object, if 
possible, or the default value is used later on. If SSL_OP_NO_QUERY_MTU is set 
to prevent the retrieval from the BIO object to provide the MTU manually, it 
will use the MTU stored in DTLS1_STATE as it is, that is 0, which makes no 
sense whatsoever.

So the MTU stored in DTLS1_STATE must not be cleared if SSL_OP_NO_QUERY_MTU is 
set, otherwise there is no proper way to set the MTU manually. I'll provide a 
patch shortly.

Thanks for the report!

Best regards
Robin







______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to