[openssl.org #3608] SEGV Crash in dtls1_retransmit_message function

Mon, 24 Nov 2014 07:32:24 -0800 

On Sun Nov 23 19:09:46 2014, prav...@viptela.com wrote:
> This happens when the server is unreachable. The client when it is trying
> to resend the client_hello is barfing on fragment->frag value. Is this
> known issue ? Let me know if you need any more info.
>
> Not consistently reproducible. Please let us know if I can work around this
> issue.
>
Curious.

Can you confirm the OpenSSL version and platform that you are using?

The only way I can see for frag->fragment to be NULL is if s->init_num is 0
when the message is buffered in the first place. Messages get buffered in
dtls1_buffer_message in d1_both.c:

frag = dtls1_hm_fragment_new(s->init_num, 0);
if (!frag)
return 0;

memcpy(frag->fragment, s->init_buf->data, s->init_num);

If init_num is 0 then the memcpy does nothing and so will not fail if
frag->fragment is NULL.
dtls1_hm_fragment_new does this:

unsigned char *buf = NULL;
unsigned char *bitmask = NULL;

frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
if ( frag == NULL)
return NULL;

if (frag_len)
{
buf = (unsigned char *)OPENSSL_malloc(frag_len);
if ( buf == NULL)
{
OPENSSL_free(frag);
return NULL;
}
}

/* zero length fragment gets zero frag->fragment */
frag->fragment = buf;

So if s->init_num is 0 then frag_len is 0 and frag->fragment gets set to NULL.

dtls1_buffer_message gets called from a number of places (client side):
- In dtls1_client_hello
- In dtls1_send_client_key_exchange
- In dtls1_send_client_verify
- In dtls1_send_client_certificate
- In dtls1_send_finished
- In dtls1_send_change_cipher_spec

Based on your stack trace and description it seems likely that the one we're
interested in is dtls1_client_hello which does this:
d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); /* DTLS1_HM_HEADER_LENGTH is 12 */
...
/* Do lots of stuff that increments p but doesn't change buf that I can see */
...
/* number of bytes to write */
s->init_num=p-buf;
s->init_off=0;

/* buffer the message to handle re-xmits */
dtls1_buffer_message(s, 0);

So at the moment I can't see how frag->fragment is ending up being NULL in your
situation.

If I sent you some instrumented code would you be able to apply it and see if
that helps us narrow down what's going on?

Thanks

Matt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to