Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Apr 2014 10:44:54 +0400
From: Solar Designer <>
Subject: Re: Use-after-free race condition,in OpenSSL's read buffer

On Sat, Apr 12, 2014 at 09:47:49PM -0600, Scotty Bauer wrote:
> Patch is available at:

Some context to this:

This specific patch is found in Benson Kwok's bug report:

Benson writes:

"The issue is when the buffer is released by ssl3_release_read_buffer(),
there may still be data left in the buffer (s->s3->rbuf.left != 0). With
single threading, when another read occurs, the same buffer is reused
during a call to ssl3_setup_read_buffer() so the data is still there and
can be read and processed so it works fine. When running with multiple
threads, the buffer is shared in a pool and another thread may have gotten
that buffer already. If the call to ssl3_setup_read_buffer() returns a new
buffer, it assume the data is still there but will run into parsing error
with the record."

(Of course, "parsing error" isn't necessarily the worst outcome.)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ