Topic: special handshake message - valgrind uninitialized read

Hello again smile

Context as usual:
latest git, sles 11.1 and macosx 10.7.4

./configure --prefix=/usr/local/cyassl --enable-hugecache --enable-fastmath --enable-debug

start server (-d is important in this case, since message is ad-hoc)

./examples/server/.libs/server -p 1105 -v 1 -d

send the following handshake message

echo -ne '16030101061000010201008ae7eddc582257a9e6f26cd61c529166b46ab9c1b2a652066a1389672afce29ae8d1f7dc7a39d573fb048b5c193bf87cc8b943f0bc13c3d9c09b5ec5dca38dbdded583f13b4a8eec3fa089bcd8e6f27b9f7587ae4b507b9f3f324c03b7c2489762d64fb5288afdb49a300022370fff7bacfb2b41b97aa4a8eda14eff85df4333887ca8d7e5dbe7de509d6f3cfe3f1f1e42355f49797a995d27225523ca75e43157a573f63514b464401591adfba3edf2414a43af7ec35cecf7f020ec3ec697c86373f507f087e2ae11412e89a6cb6356dcc709e3899caac68f597bdfa38b1c5cb1339045e2db528a211fff4ac915dd91fb0ab0a872ee2f0081f970468d64d4e71403010001011603010030f2ea69c2f09920c02ec2a278454c233516ae19ef99c105caae50ba493c026c4e0b27947a3d5a40511db89a7be4713584' | xxd -r -p | netcat localhost 1105 | xxd

log + valgrind complains (and since my app crashes around there - i assume nasty things happen from wrong keys being initialized, etc.)

<skipped startup stuff>

CyaSSL Entering SSL_set_fd
CyaSSL Leaving SSL_set_fd, return 1
CyaSSL Entering CyaSSL_SetTmpDH
CyaSSL Leaving CyaSSL_SetTmpDH, return 0
CyaSSL Entering SSL_accept()
growing input buffer

growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing client key exchange

==58560== Conditional jump or move depends on uninitialised value(s)
==58560==    at 0x17FC2: DoClientKeyExchange (in /usr/local/cyassl/lib/libcyassl.3.dylib)
==58560==    by 0xE36D: DoHandShakeMsgType (in /usr/local/cyassl/lib/libcyassl.3.dylib)
==58560==    by 0xE50F: DoHandShakeMsg (in /usr/local/cyassl/lib/libcyassl.3.dylib)
==58560==    by 0xF515: ProcessReply (in /usr/local/cyassl/lib/libcyassl.3.dylib)
==58560==    by 0x1EE6C: CyaSSL_accept (in /usr/local/cyassl/lib/libcyassl.3.dylib)
==58560==    by 0x10000136E: server_test (in ./examples/server/.libs/server)
==58560==    by 0x10000219C: main (in ./examples/server/.libs/server)
==58560==  Uninitialised value was created by a heap allocation
==58560==    at 0x5237: malloc (in /usr/local/Cellar/valgrind/3.8.1/lib/valgrind/
==58560==    by 0x3A3A2: CyaSSL_Malloc (in /usr/local/cyassl/lib/libcyassl.3.dylib)
==58560==    by 0x1A898: CyaSSL_new (in /usr/local/cyassl/lib/libcyassl.3.dylib)
==58560==    by 0x1000012D0: server_test (in ./examples/server/.libs/server)
==58560==    by 0x10000219C: main (in ./examples/server/.libs/server)

the actual value being read uninitialized is: ssl->specs.kea

this also can be reproduced on commit 407397e8 (this is the closest one to 2.3.0 i can use due to other issues i've had).


Re: special handshake message - valgrind uninitialized read

Thanks for the report!  I just pushed a fix for this to our embedded SSL library.  Specs are now initialized on creation, the client key exchange state is checked before processing, and a specific error for bad kea type was added.  I'll have to check whether the same thing can now happen with an out of order finished or app data message.