Thank you for your reply. I believe RTI passes the SSL object s to OpenSSL, and OpenSSL extracts b = SSL_get_wbio(s) as in BIO_ctrl(SSL_get_wbios(s),...)
Does it mean s was changed/flushed by RTI when OpenSSL was still using b? My Pham -----Original Message----- From: Stephen Henson via RT [mailto:[email protected]] Sent: Thursday, January 30, 2014 6:23 AM To: Pham, My V (IS) Cc: [email protected] Subject: EXT :[openssl.org #3248] Bug - OpenSSL 0.9.8 crashes randomly at the call to BIO_test_flags() On Thu Jan 30 07:17:19 2014, [email protected] wrote: > To OpenSSL Support: > > We would like to report an OpenSSL crash that occurs randomly at the > call to BIO_test_flags() in the file crypto/bio/bio_lib.c. It happens > with various versions of OpenSSL-0.9.8 (r, x, ...) and the problem > seems to be BIO_test_flags() was dereferencing the input pointer 'BIO > *b' without first null-checking it, resulting in a crash when b > happens to be null. > The problem is more related to that BIO and where it ultimately comes from. >From the stack trace: > > #8 0x01ad0ad9 in BIO_test_flags (b=0x0, flags=15) at bio_lib.c:151 > > #9 0x01ad16bc in BIO_copy_next_retry (b=0xb41db140) at bio_lib.c:569 > > #10 0x01ad509a in buffer_ctrl (b=0xb41db140, cmd=11, num=0, ptr=0x0) > at bf_buff.c:410 > This shows we have a buffering BIO in use and it is attempting to copy retry reasons when it is being flushed. A buffering BIO should always have a source/sink BIO (in DTLS it will typically be a socket BIO) following it but in this case it doesn't have anything. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
