Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
On Sat, May 03, 2014 at 01:14:47AM +0200, Matt Caswell via RT wrote: This patch looks like a bit of a kludge to me. Release a buffer only to then immediately set it up again. Compare with this commit on master: https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989 I think a backport of this might be more appropriate. Yes. As far as I can see the master branch didn't have this problem. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
Kurt Roeckx via RT rt at openssl.org writes: There is a potentional patch for this in libresll, you can see it at: http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit /lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Kurt Hello. This issue has been assigned CVE-2014-0198. Any news on an OpenSSL fix? Thanks. --mancha __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
On Fri, May 02, 2014 at 06:53:06PM +, mancha wrote: Kurt Roeckx via RT rt at openssl.org writes: There is a potentional patch for this in libresll, you can see it at: http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit /lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Kurt Hello. This issue has been assigned CVE-2014-0198. Any news on an OpenSSL fix? I've just created github pull request #94 for that. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
This patch looks like a bit of a kludge to me. Release a buffer only to then immediately set it up again. Compare with this commit on master: https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989 I think a backport of this might be more appropriate. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
There is a potentional patch for this in libresll, you can see it at: http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Kurt On Mon, Apr 21, 2014 at 05:40:09PM +0200, David Ramos via RT wrote: Hello, Our UC-KLEE tool found a NULL pointer dereference bug in do_ssl3_write (ssl/s3_pkt.c) when an alert is pending and the SSL_MODE_RELEASE_BUFFERS flag is used. This bug affects the latest 1.0.1 branch. The code for do_ssl3_write() first checks whether the write buffer is NULL: 644if (wb-buf == NULL) 645if (!ssl3_setup_write_buffer(s)) 646return -1; It then dispatches any pending alerts: 653/* If we have an alert to send, lets send it */ 654if (s-s3-alert_dispatch) 655{ 656i=s-method-ssl_dispatch_alert(s); This call to ssl3_dispatch_alert() calls do_ssl3_write() again: 1501i = do_ssl3_write(s, SSL3_RT_ALERT, s-s3-send_alert[0], 2, 0); Which calls ssl3_write_pending(): 852/* we now just need to write the buffer */ 853return ssl3_write_pending(s,type,buf,len); Which releases the write buffer if SSL_MODE_RELEASE_BUFFERS is used: 894if (s-mode SSL_MODE_RELEASE_BUFFERS 895SSL_version(s) != DTLS1_VERSION SSL_version(s) != DTLS1_BAD_VER) 896ssl3_release_write_buffer(s); When control returns back to the original do_ssl3_write() call, wb-buf has been set to NULL (*after* the NULL check). The NULL pointer dereference then occurs at: 743*(p++)=type0xff; A second check is necessary after the call to ssl-dispatch_alert(), or a counter could be added to ssl_st to avoid releasing the buffers if any callers are performing writes. -David __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3321] NULL pointer dereference with SSL_MODE_RELEASE_BUFFERS flag
Hello, Our UC-KLEE tool found a NULL pointer dereference bug in do_ssl3_write (ssl/s3_pkt.c) when an alert is pending and the SSL_MODE_RELEASE_BUFFERS flag is used. This bug affects the latest 1.0.1 branch. The code for do_ssl3_write() first checks whether the write buffer is NULL: 644if (wb-buf == NULL) 645if (!ssl3_setup_write_buffer(s)) 646return -1; It then dispatches any pending alerts: 653/* If we have an alert to send, lets send it */ 654if (s-s3-alert_dispatch) 655{ 656i=s-method-ssl_dispatch_alert(s); This call to ssl3_dispatch_alert() calls do_ssl3_write() again: 1501i = do_ssl3_write(s, SSL3_RT_ALERT, s-s3-send_alert[0], 2, 0); Which calls ssl3_write_pending(): 852/* we now just need to write the buffer */ 853return ssl3_write_pending(s,type,buf,len); Which releases the write buffer if SSL_MODE_RELEASE_BUFFERS is used: 894if (s-mode SSL_MODE_RELEASE_BUFFERS 895SSL_version(s) != DTLS1_VERSION SSL_version(s) != DTLS1_BAD_VER) 896ssl3_release_write_buffer(s); When control returns back to the original do_ssl3_write() call, wb-buf has been set to NULL (*after* the NULL check). The NULL pointer dereference then occurs at: 743*(p++)=type0xff; A second check is necessary after the call to ssl-dispatch_alert(), or a counter could be added to ssl_st to avoid releasing the buffers if any callers are performing writes. -David __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org