[Pkg-openssl-devel] Re: [jaenicke@openssl.org: Re: Potential
security hole in openssl]
Bodo Moeller
bmoeller at acm.org
Fri Mar 2 11:50:09 CET 2007
On Fri, Mar 02, 2007 at 07:42:59AM +0000, Julian Gilbey wrote:
> On Fri, Mar 02, 2007 at 12:56:32AM +0100, Bodo Moeller wrote:
>> Can you link the application with libefence.a? If done correctly,
>> this will make it a lot slower; but more importantly, quite possibly
>> you'll observe a segmentation fault earlier in the program flow:
> Will try to have a go over the weekend. Some of you will have seen
> the email by Kurt Roeckx where he found a bug in proxytunnel; fixing
> this fixes the problem. However, it is still unclear to me whether
> there is also a bug in openssl which is potentially exploitable.
>
> The patch by Kurt is attached.
>
> Julian
> --- io.c.old 2007-02-25 18:02:48.000000000 +0100
> +++ io.c 2007-03-01 23:15:53.000000000 +0100
> @@ -61,7 +61,7 @@
>
> if( args_info.verbose_flag )
> {
> - char * dstr = malloc(sizeof(buf-1) );
> + char * dstr = malloc(strlen(buf) -1 );
> strlcpy( dstr, buf, strlen(buf) -1 );
> if (strcmp(dstr, ""))
> message( "<- %s\n", dstr );
Well, this very much appears to be the cause of the buffer overflow
that I suspected -- especially if you take into account that the value
of pointer ds->cipher that gdb showed for the segmentation fault
(0x2f4c5357) happens to be ASCII text ("WSL/" in little-endian land).
Bodo
More information about the Pkg-openssl-devel
mailing list