Comment 38 for bug 6867

Hi,

Roland Bauerschmidt:
> I have just reproduced the bug under Electric Fence. The SEGV occurs
> slightly earlier:
>
Yes -- still not terribly helpful however, we need to find out who
releases the memory.

Sometimes it occurs still earlier:

0x40200384 in _gnutls_get_dh_params (dh_primes=0x486baff8, ret_p=0xbf7fc248,
    ret_g=0xbf7fc24c) at gnutls_dh_primes.c:37
37 if (dh_primes == NULL || dh_primes->_prime == NULL ||
(gdb) whe
#0 0x40200384 in _gnutls_get_dh_params (dh_primes=0x486baff8,
    ret_p=0xbf7fc248, ret_g=0xbf7fc24c) at gnutls_dh_primes.c:37
#1 0x40200292 in proc_dhe_client_kx (session=0x484c1630,
    data=0x486baff8 '' <repeats 200 times>..., _data_size=1215016952)
    at auth_dhe.c:268
#2 0x401f0548 in _gnutls_recv_client_kx_message (session=0x484c1630)
    at gnutls_kx.c:329
#3 0x401eb4c0 in _gnutls_handshake_server (session=0x484c1630)
    at gnutls_handshake.c:2241
#4 0x401eaad6 in gnutls_handshake (session=0x484c1630)
    at gnutls_handshake.c:1892
#5 0x400599a7 in SSL_do_handshake (ssl=0x48572fdc, end=GNUTLS_SERVER)
    at gnutls.c:627
#6 0x40059acd in gnutls_SSL_accept (ssl=0x48572fdc) at gnutls.c:670

> Consequently, session->key->cred->credentials and cred should be
> *identical*. But they aren't (0x47210fb8 != 0x85cfbff6):
>
Umm...

> (gdb) p session->key->cred->credentials
> $53 = (void *) 0x47210fb8
> (gdb) p cred
> $54 = <value optimized out>
> (gdb) p *cred
> Cannot access memory at address 0x85cfbff6

... gdb actually uses the wrong value here (optimization!), especially since
session->key->cred->credentials is accessible. Try recompiling with -O0.

You might also try the helpful

(gdb) set env EF_FREE_WIPES 1

If you do that, you see
(gdb) p *((const CERTIFICATE_CREDENTIALS_INT *)session->key->cred->credentials)->dh_params
$40 = {_prime = 0xbdbdbdbd, _generator = 0xbdbdbdbd}

=> something freed the dh_params vector.

I haven't found the culprit yet.

--
Matthias Urlichs | {M:U} IT Design @ m-u-it.de | <email address hidden>