[Pkg-openssl-devel] Bug#742240: libssl1.0.0: TLSv1_client_method()/SSL_Connect() heap overrun

Brandon debian at bwysystems.com
Fri Mar 21 06:04:11 UTC 2014 

Package: libssl1.0.0
Version: 1.0.1e-2+deb7u4
Severity: normal

Dear Maintainer,

When creating a client context with SSL_CTX_new(TLSv1_client_method()),
SSL_Connect() triggers a heap overrun with the following output from valgrind:

==24315== Thread 10:
==24315== Invalid write of size 4
==24315==    at 0x4C2B4FF: memset (mc_replace_strmem.c:966)
==24315==    by 0x5894BAE: MD5_Final (md5.c:293)
==24315==    by 0x72A8CED: EVP_DigestFinal_ex (digest.c:272)
==24315==    by 0x673797A: ssl3_get_key_exchange (s3_clnt.c:1782)
==24315==    by 0x673B042: ssl3_connect (s3_clnt.c:359)
==24315==    by 0x58818EE: _sock_connected (sock.c:596)
==24315==    by 0x587A531: _thread (thread.c:644)
==24315==    by 0x5442B4F: start_thread (pthread_create.c:304)
==24315==  Address 0x7866694 is 0 bytes after a block of size 100 alloc'd
==24315==    at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==24315==    by 0x721B77F: CRYPTO_malloc (mem.c:308)
==24315==    by 0x72A8B48: EVP_DigestInit_ex (digest.c:210)
==24315==    by 0x673791A: ssl3_get_key_exchange (s3_clnt.c:1777)
==24315==    by 0x673B042: ssl3_connect (s3_clnt.c:359)
==24315==    by 0x58818EE: _sock_connected (sock.c:596)
==24315==    by 0x587A531: _thread (thread.c:644)
==24315==    by 0x5442B4F: start_thread (pthread_create.c:304)
==24315==

SSL_Connect() returned WANT_READ, and once there was data on the socket calling
SSL_Connect() the second time triggered the bug.

The bug is fixed by creating a context with SSLv23_client_method() instead.

Thanks,
Brandon



-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.49
ii  libc6                  2.13-38+deb7u1
ii  multiarch-support      2.13-38+deb7u1
ii  zlib1g                 1:1.2.7.dfsg-13

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information excluded

More information about the Pkg-openssl-devel mailing list