Re: lib/43828: openssl lib in 5.0.2 SEGV during SSL_accept

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

The following reply was made to PR lib/43828; it has been noted by GNATS.

From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: lib-bug-people%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost, 
netbsd-bugs%NetBSD.org@localhost
Subject: Re: lib/43828: openssl lib in 5.0.2 SEGV during SSL_accept
Date: Thu, 2 Sep 2010 19:58:17 +0200

 On Thu, Sep 02, 2010 at 03:30:01PM +0000, 
Wolfgang.Stukenbrock%nagler-company.com@localhost wrote:
 >      The SSL is setup to accept SSLv23 connection by apache.
 >      The accept-stuff of the SSLv23 code reads in the first 11 bytes (shown 
 > above) and switches to
 >      TLSv1 mode. It re-injects the 11 bytes into the input again and starts 
 > the accept stuff from
 >      the choosen method - in this case ssl3_accept().
 >      There it starts with the state SSL3_ST_SR_CLNT_HELLO_A, switches to 
 > SSL3_ST_SW_SRVR_HELLO_A,
 >      SSL3_ST_SW_CHANGE_A and SSL3_ST_SW_FINISHED_A.
 >      There it calls ssl3_send_finished() that will call ssl3_do_write().
 >      ssl3_do_write() calls ssl3_finish_mac(). The comment there says, that 
 > this makes not realy sence
 >      for HELLO processing, but the result will be ignored in this case -- OK 
 > - not the best way, but ..
 >      In ssl3_finish_mac() "s->s3->handshare_buffer" is not set, so it starts 
 > looking for entries in
 >      "s->s3->handshake_dgst", but this is still a NULL pointer -> SEGV
 
 Looks like the bug I fixed with:
 http://releng.netbsd.org/cgi-bin/req-5.cgi?show=1365
 
 So this should be fixed in netbsd-5-0 newer than 5.0.2, as well
 as in the upcoming 5.1
 
 -- 
 Manuel Bouyer <bouyer%antioche.eu.org@localhost>
      NetBSD: 26 ans d'experience feront toujours la difference
 --