oss-sec mailing list archives
Re: Use-after-free race condition,in OpenSSL's read buffer
From: Solar Designer <solar () openwall com>
Date: Sun, 13 Apr 2014 10:44:54 +0400
On Sat, Apr 12, 2014 at 09:47:49PM -0600, Scotty Bauer wrote:
Patch is available at: http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch
Some context to this: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse This specific patch is found in Benson Kwok's bug report: https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest Benson writes: "The issue is when the buffer is released by ssl3_release_read_buffer(), there may still be data left in the buffer (s->s3->rbuf.left != 0). With single threading, when another read occurs, the same buffer is reused during a call to ssl3_setup_read_buffer() so the data is still there and can be read and processed so it works fine. When running with multiple threads, the buffer is shared in a pool and another thread may have gotten that buffer already. If the call to ssl3_setup_read_buffer() returns a new buffer, it assume the data is still there but will run into parsing error with the record." (Of course, "parsing error" isn't necessarily the worst outcome.) Alexander
Current thread:
- Use-after-free race condition,in OpenSSL's read buffer Scotty Bauer (Apr 12)
- Re: Use-after-free race condition,in OpenSSL's read buffer Solar Designer (Apr 12)
- Re: Use-after-free race condition,in OpenSSL's read buffer mancha (Apr 13)
- Re: Use-after-free race condition,in OpenSSL's read buffer cve-assign (Apr 14)
- Re: Use-after-free race condition,in OpenSSL's read buffer Solar Designer (Apr 12)