Re: Working with Strings on a SSL Server

Thu, 14 Aug 2008 00:48:51 -0700 

Carolin Latze wrote:
> Hi everybody,
>
> I have a very strange problem and hope that somebody is able to help
> me. I wrote a simple client and server in C that authenticate each
> other mutually using SSL. The SSL connection itself is working and I
> was able to exchange messages using SSL_write and SSL_read. The client
> sends X509 extensions as strings to the server. The server is able to
> read them and prints them to stdout. Those extensions contain some
> special values I want to check on the server. The general idea is that
> the client has some certificates, he wants to check. But those
> certificates contain some special values, he cannot check. Therefore
> he establishes a SSL connection to a verification server that will
> verify those values and send the result to the client.
>
> As I said, I am able to send those values using SSL_write to the
> server who is able to read them using SSL_read. In order to verify
> those values, the server has to open some local files. In order to do
> so, I create the filename:
>
> sprintf(filename,"certs/%s",dirpt->d_name);
>
> This will create a null-terminated string. Even if I never use this
> string, just because I created it, SSL_clear will coredump with
>
> *** glibc detected *** ./server: free(): invalid pointer: 0x0806ed48 *** 
...
>
> I tried to create the filename string also using memcpy. Everything is
> fine until this string becomes null-terminated...
>
> I know, that sounds very strange, but does anybody have any idea how
> to solve that problem??
free() showing an invalid pointer is most likely the consequence of the
heap memory management running into corrupted data structures.

* Using sprintf() is a bad idea. Use snprintf() which will enforce a
  a length check preventing the buffer (filename) from overrun.
* You don't say in which way filename or dirpt->d_name are allocated.
* Use a dynamic memory allocation debugger like Efence to help in
  tracking down this issue.


Best regards,
    Lutz
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to