Hi,
I am working in Android,
and when i am running YouTube application my device crashed,
below is the log and info regarding the crash,
WAR[10704.237019] == Native crash-info: ==
WAR[10704.237660] pid: 8065, tid: 8103, name: pool-1-thread-5 >>>
com.google.android.youtube <<<
WAR[10704.237782]* signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr
deadbaad*
WAR[10704.241781]
WAR[10704.241781] backtrace:
WAR[10704.242269] #00 pc 00013af8 /system/lib/libc.so
WAR[10704.242360] #01 pc 00015ed5 /system/lib/libc.so (dlfree+1628)
WAR[10704.242483] #02 pc 00017083 /system/lib/libc.so (free+10)
WAR[10704.242605] #03 pc 00037dc9 /system/lib/libcrypto.so (CRYPTO_free+24)
WAR[10704.242727] #04 pc 00028f21 /system/lib/libssl.so
(ssl_parse_serverhello_tlsext+216)
WAR[10704.242818] #05 pc 0001590b /system/lib/libssl.so
(ssl3_get_server_hello+894)
WAR[10704.242940] #06 pc 00018147 /system/lib/libssl.so (ssl3_connect+618)
WAR[10704.243093] #07 pc 000234c3 /system/lib/libssl.so
(SSL_do_handshake+66)
WAR[10704.243154] #08 pc 00020a07 /system/lib/libjavacore.so
WAR[10704.243307] #09 pc 0001fb70 /system/lib/libdvm.so
(dvmPlatformInvoke+112)
WAR[10704.243429] #10 pc 0004e8b9 /system/lib/libdvm.so
(dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+360)
WAR[10704.243551] #11 pc 00029020 /system/lib/libdvm.so
WAR[10704.243642] #12 pc 0002d7e8 /system/lib/libdvm.so
(dvmInterpret(Thread*, Method const*, JValue*)+180)
WAR[10704.243764] #13 pc 00060065 /system/lib/libdvm.so
(dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*,
std::__va_list)+272)
WAR[10704.243917] #14 pc 0006008f /system/lib/libdvm.so
(dvmCallMethod(Thread*, Method const*, Object*, JValue*, ...)+20)
WAR[10704.244039] #15 pc 000554b7 /system/lib/libdvm.so
WAR[10704.244131] #16 pc 00012ef0 /system/lib/libc.so (__thread_entry+48)
WAR[10704.244253] #17 pc 00012648 /system/lib/libc.so (pthread_create+172)
from the GDB i am able to track the location of the error.
below is the code snippet.
in file *openssl/ssl/t1_lib.c*
int *ssl_parse_serverhello_tlsext*(SSL *s, unsigned char **p, unsigned
char *d, int n, int *al)
{
/////more code here ............/////
else if (type == TLSEXT_TYPE_ec_point_formats &&
s->version != DTLS1_VERSION)
{
unsigned char *sdata = data;
int ecpointformatlist_length = *(sdata++);
if (ecpointformatlist_length != size - 1)
{
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
s->session->tlsext_ecpointformatlist_length = 0;
*if (s->session->tlsext_ecpointformatlist != NULL)
OPENSSL_free(s->session->tlsext_ecpointformatlist);*
if ((s->session->tlsext_ecpointformatlist =
OPENSSL_malloc(ecpointformatlist_length)) == NULL)
{
*al = TLS1_AD_INTERNAL_ERROR;
return 0;
}
s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
memcpy(s->session->tlsext_ecpointformatlist, sdata,
ecpointformatlist_length);
/////more code here ............/////
}
from the GDB found that "s->session->tlsext_ecpointformatlis" is already
freed.
But not assigned with NULL.
I suspect here SSL session pointer "s" is used multiple places.
and once it is freed it must be assigned with NULL.
Please give some suggestion.
--
Thank you
Dilli Rao
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
