Bug#741295: libssl: Improper release of read buffers when SSL_MODE_RELEASE_BUFFERS set

Mon, 10 Mar 2014 14:12:33 -0700 

Package: libssl1.0.0
Version: 1.0.1f-1
Severity: important
File: libssl

When using libssl from multiple threads with SSL_MODE_RELEASE_BUFFERS enabled,
it seems that read buffers are being improperly released. Under load, I'm seeing
the errors below.

This bug has already been reported to OpenSSL, with a patch, but there is no 
movement
on it: http://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest

Would it be possible to get this patch (attached, created from the link 
referenced) in 
Debian rather than waiting for them, especially since it's so simple?

SSL_accept failed (0 6 0): (1) error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1407609C:SSL 
routines:SSL23_GET_CLIENT_HELLO:http request. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac. 
SSL_accept failed (0 6 0): (1) error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1407609C:SSL 
routines:SSL23_GET_CLIENT_HELLO:http request. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:140943FC:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad record mac. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1407609C:SSL 
routines:SSL23_GET_CLIENT_HELLO:http request. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number. 
SSL_accept failed (0 6 0): (1) error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssl1.0.0:amd64 depends on:
ii  debconf [debconf-2.0]  1.5.52
ii  libc6                  2.18-4
ii  multiarch-support      2.18-4

libssl1.0.0:amd64 recommends no packages.

libssl1.0.0:amd64 suggests no packages.

-- debconf information excluded

Index: openssl.git/ssl/s3_pkt.c
===================================================================
--- openssl.git.orig/ssl/s3_pkt.c	2014-03-10 16:25:43.153467123 -0400
+++ openssl.git/ssl/s3_pkt.c	2014-03-10 16:26:20.006216967 -0400
@@ -1055,7 +1055,7 @@
 				{
 				s->rstate=SSL_ST_READ_HEADER;
 				rr->off=0;
-				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+				if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
 					ssl3_release_read_buffer(s);
 				}
 			}

Reply via email to