Re: valgrind complaints about my network data received through ssl

Thu, 28 Feb 2008 16:23:10 -0800 

On Thu February 28 2008 17:52, David Schwartz wrote:
> 
> > I've written a network app using pthreads, ssl, and xml.
> >
> > I use xml over tcp over ssl and all of that is working fine.
> >
> > Whilest chasing down what I thought was a bug, I started using
> > valgrind on my app.
> >
> > I'm receiving thousands of "uninitialized value and conditional jump"
> > errors triggered by the data that I receive via SSL_read.
> >
> > [I'm not worried about the alleged valgrind errors within SSL itself
> > due to randomizing, etc.]
> >
> > I've run test programs using pthreads and xml parsing (extracted out
> > of my code) and they do not trigger the errors when used w/o SSL.
> >
> > So, I'm struggling to understand why the data received via sockets
> > from the network and through SSL would trigger these kinds of
> > warnings.  Literally, every packet/pdu I receive and parse triggers
> > these errors.  The data is valid and the PDUs are correct thus my
> > confusion.
> >
> > Has anyone ever seen this and know how to fix/correct?
> 
> Look at any code that you use with SSL but not without. One common thing
> that can trigger this is if you run 'strlen', 'strchr', or something like
> that on the received data.
> 
> Consider:
> 
> char buf[1024];
> int i, j;
> 
> buf[1024]=0; // to make sure we don't run off the end
>

Does not C number the indices: 0..1023?

> j=SSL_read(ssl, buf, 1000)
> if(j<=0) return;
> i=strlen(buf);
> if(i<j) // data contained an embedded zero
> {
>  ...
> 
> This is legal/safe code. However, it does read uninitialized data. The value
> of the uninitialized data can affect 'i', but not whether or not 'i' is less
> than 'j'. The tool will correctly report that the value of 'i' is
> indeterminate.
> 
> But that's just a guess. It's very hard to say without knowing what your
> code looks like.
> 
> DS
> 
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           [EMAIL PROTECTED]
> 
> 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to