You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found a bug (presumably in the s_client) that causes a null ptr dereference when communicating with a server. If you need a gdb session for debugging the crash, please use pernos.co.
The tested version was v3.8.1. If you need any further help, please let me know.
Program received signal SIGSEGV, Segmentation fault.
bn_bitsize (bn=0x0)
at crypto/bn/bn_primitives.c:55
55 while (i < bn->top) {
(rr) bt
#0 bn_bitsize (bn=0x0)
at crypto/bn/bn_primitives.c:55
#1 0x00005555555e0698 in ssl_print_tmp_key (out=out@entry=0x555555c881b0, s=s@entry=0x555555c8bda0)
at apps/openssl/s_cb.c:273
#2 0x00005555555e71e6 in print_stuff (bio=bio@entry=0x555555c881b0, s=s@entry=0x555555c8bda0, full=full@entry=1)
at apps/openssl/s_client.c:1705
#3 0x00005555555e63c2 in s_client_main (argc=<optimized out>, argv=<optimized out>)
at apps/openssl/s_client.c:1587
#4 0x00005555555cd732 in do_cmd (prog=0x555555c7ee20, argc=18, argv=0x7fffffffe5b0)
at apps/openssl/openssl.c:513
#5 main (argc=18, argv=0x7fffffffe5b0)
at apps/openssl/openssl.c:458
The public key that is passed to bn_bitsize is zeroed out here
Hardware watchpoint 1: pkey
Old value = (EVP_PKEY *) 0x555555ca1940
New value = (EVP_PKEY *) 0x0
0x00005555556156e5 in _SSL_get_peer_tmp_key (s=0x555555c8bda0, key=0x7fffffffc200)
at libressl/ssl/s3_lib.c:1729
1729 *key = pkey;
(rr) bt
#0 0x00005555556156e5 in _SSL_get_peer_tmp_key (s=0x555555c8bda0, key=0x7fffffffc200)
at libressl/ssl/s3_lib.c:1729
#1 0x00005555555e0644 in ssl_print_tmp_key (out=out@entry=0x555555c881b0, s=0x555555a66120 <locks+1040>,
s@entry=0x555555c8bda0)
at libressl/apps/openssl/s_cb.c:267
#2 0x00005555555e71e6 in print_stuff (bio=bio@entry=0x555555c881b0, s=s@entry=0x555555c8bda0, full=full@entry=1)
at libressl/apps/openssl/s_client.c:1705
#3 0x00005555555e63c2 in s_client_main (argc=<optimized out>, argv=<optimized out>)
at libressl/apps/openssl/s_client.c:1587
#4 0x00005555555cd732 in do_cmd (prog=0x555555c7ee20, argc=18, argv=0x7fffffffe5b0)
at libressl/apps/openssl/openssl.c:513
#5 main (argc=18, argv=0x7fffffffe5b0)
at libressl/apps/openssl/openssl.c:458
Best,
Nils
The text was updated successfully, but these errors were encountered:
Thanks for the report. This is indeed mostly a bug in the s_client that tries to print out as much information as it can instead of erroring out. However, libssl could be a bit more careful and not leave behind an invalid DH object in that situation so that ssl_print_tmp_key() doesn't access NULL.
Fixing this is on my todo list, but not super high priority.
Hey,
I found a bug (presumably in the
s_client
) that causes a null ptr dereference when communicating with a server. If you need a gdb session for debugging the crash, please use pernos.co.The tested version was v3.8.1. If you need any further help, please let me know.
The public key that is passed to
bn_bitsize
is zeroed out hereBest,
Nils
The text was updated successfully, but these errors were encountered: