Nick Mathewson via RT
2014-10-20 20:37:14 UTC
From an examination, this is at worst a null pointer dereference, and
it's readily inferred from a ticket on our public bugtracker, so I'msending this in the clear.
Because of patch 26a59d9b46574e457870197dffa802871b4c8fc7 from Geoff
Thorpe (hi!) , if openssl is built with no-ssl3, and you connect to it
with SSL v3, then the s->method pointer is set to NULL. This can
cause a variety of functions to crash if you call them on your error
path, since nearly everything expects s->method to be set and doesn't
check it.
In Tor's case, the crash happens in a bit of code in our cleanup
function that does "SSL_set_tlsext_host_name(... , NULL);" to work
around the bug that Ben fixed in
241d088156cdd12bce84b26dbc9060972ef73d96. But probably this kind of
thing can happen to other programs too.
I'd suggest that the code in ssl23_get_client_hello() should instead
do something like this:
SSL_METHOD *new_method = ssl23_get_server_method(s->version);
if (new_method == NULL)
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
}
else
s->method = new_method;
Does that seem sensible? I might well be missing something; my
understanding of this code is shallow.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org