Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
On Sat, May 03, 2014 at 01:14:47AM +0200, Matt Caswell via RT wrote: This patch looks like a bit of a kludge to me. Release a buffer only to then immediately set it up again. Compare with this commit on master: https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989 I think a backport of this might be more appropriate. Yes. As far as I can see the master branch didn't have this problem. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
Kurt Roeckx via RT rt at openssl.org writes: There is a potentional patch for this in libresll, you can see it at: http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit /lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Kurt Hello. This issue has been assigned CVE-2014-0198. Any news on an OpenSSL fix? Thanks. --mancha __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
On Fri, May 02, 2014 at 06:53:06PM +, mancha wrote: Kurt Roeckx via RT rt at openssl.org writes: There is a potentional patch for this in libresll, you can see it at: http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit /lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Kurt Hello. This issue has been assigned CVE-2014-0198. Any news on an OpenSSL fix? I've just created github pull request #94 for that. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
This patch looks like a bit of a kludge to me. Release a buffer only to then immediately set it up again. Compare with this commit on master: https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989 I think a backport of this might be more appropriate. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
There is a potentional patch for this in libresll, you can see it
at:
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21
Kurt
On Mon, Apr 21, 2014 at 05:40:09PM +0200, David Ramos via RT wrote:
Hello,
Our UC-KLEE tool found a NULL pointer dereference bug in do_ssl3_write
(ssl/s3_pkt.c) when an alert is pending and the SSL_MODE_RELEASE_BUFFERS flag
is used. This bug affects the latest 1.0.1 branch.
The code for do_ssl3_write() first checks whether the write buffer is NULL:
644if (wb-buf == NULL)
645if (!ssl3_setup_write_buffer(s))
646return -1;
It then dispatches any pending alerts:
653/* If we have an alert to send, lets send it */
654if (s-s3-alert_dispatch)
655{
656i=s-method-ssl_dispatch_alert(s);
This call to ssl3_dispatch_alert() calls do_ssl3_write() again:
1501i = do_ssl3_write(s, SSL3_RT_ALERT, s-s3-send_alert[0], 2, 0);
Which calls ssl3_write_pending():
852/* we now just need to write the buffer */
853return ssl3_write_pending(s,type,buf,len);
Which releases the write buffer if SSL_MODE_RELEASE_BUFFERS is used:
894if (s-mode SSL_MODE_RELEASE_BUFFERS
895SSL_version(s) != DTLS1_VERSION
SSL_version(s) != DTLS1_BAD_VER)
896ssl3_release_write_buffer(s);
When control returns back to the original do_ssl3_write() call, wb-buf has
been set to NULL (*after* the NULL check). The NULL pointer dereference then
occurs at:
743*(p++)=type0xff;
A second check is necessary after the call to ssl-dispatch_alert(), or a
counter could be added to ssl_st to avoid releasing the buffers if any
callers are performing writes.
-David
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
[openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
Hello,
Our UC-KLEE tool found a NULL pointer dereference bug in do_ssl3_write
(ssl/s3_pkt.c) when an alert is pending and the SSL_MODE_RELEASE_BUFFERS flag
is used. This bug affects the latest 1.0.1 branch.
The code for do_ssl3_write() first checks whether the write buffer is NULL:
644if (wb-buf == NULL)
645if (!ssl3_setup_write_buffer(s))
646return -1;
It then dispatches any pending alerts:
653/* If we have an alert to send, lets send it */
654if (s-s3-alert_dispatch)
655{
656i=s-method-ssl_dispatch_alert(s);
This call to ssl3_dispatch_alert() calls do_ssl3_write() again:
1501i = do_ssl3_write(s, SSL3_RT_ALERT, s-s3-send_alert[0], 2, 0);
Which calls ssl3_write_pending():
852/* we now just need to write the buffer */
853return ssl3_write_pending(s,type,buf,len);
Which releases the write buffer if SSL_MODE_RELEASE_BUFFERS is used:
894if (s-mode SSL_MODE_RELEASE_BUFFERS
895SSL_version(s) != DTLS1_VERSION
SSL_version(s) != DTLS1_BAD_VER)
896ssl3_release_write_buffer(s);
When control returns back to the original do_ssl3_write() call, wb-buf has
been set to NULL (*after* the NULL check). The NULL pointer dereference then
occurs at:
743*(p++)=type0xff;
A second check is necessary after the call to ssl-dispatch_alert(), or a
counter could be added to ssl_st to avoid releasing the buffers if any callers
are performing writes.
-David
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
