memory crash when calling " X509_free" function

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

memory crash when calling " X509_free" function

Sanjay Kumar (sanjaku5)

Hi,

 

I have below 2 functions

 

1.      Received the certificate data is DER format and convert to X509 format

 

RetCode convert_der_to_x509(uint8_t *cert_der, uint32_t cert_len)

{

  const unsigned char  *bptr = NULL;

 

  X509  *x509 = NULL;

  bptr = (unsigned char *)cert_der;

  x509 = d2i_X509(NULL, &bptr, cert_len);               /*x509 structure is allocated here*/

  if (x509 == NULL)

  {

    syfer_log->ERR("DER to x509 converion failed");

    return RET_ERROR;

  }

  return RET_SUCCESS;

}

 

2.      Clean up the X509 structure

 

Void cleanup_x509()

{

  X509_free(x509);

}

 

Query:

When I call the cleanup_x509 function:

 

I get the memory crash

 

Backtrace:

Program terminated with signal 11, Segmentation fault.

#0  0x081e7748 in ASN1_STRING_free ()

#0  0x081e7748 in ASN1_STRING_free ()

#1  0x081e2b90 in ASN1_primitive_free ()

#2  0x081e2b7a in ASN1_primitive_free ()

#3  0x081e2c1a in asn1_item_combine_free ()

#4  0x081e2e5d in ASN1_template_free ()

#5  0x081e2d9e in asn1_item_combine_free ()

#6  0x081e2e5d in ASN1_template_free ()

#7  0x081e2d9e in asn1_item_combine_free ()

#8  0x081e2e93 in ASN1_item_free ()

#9  0x081defd7 in X509_free ()

#10 0x08052673 in CertificateRemote::cleanup_x509 (this=0x9bb55f0) at syfer/crypto/Certificate.cpp:309

 

What could be possible reason for the above crash ?

 

 

Thanks,

Sanjay

 

Reply | Threaded
Open this post in threaded view
|

Re: memory crash when calling " X509_free" function

Pravesh Rai
Is it because x509 is a local variable in 1 function & freed in another?
 
PK


On Thu, Oct 3, 2013 at 5:22 PM, Sanjay Kumar (sanjaku5) <[hidden email]> wrote:

Hi,

 

I have below 2 functions

 

1.      Received the certificate data is DER format and convert to X509 format

 

RetCode convert_der_to_x509(uint8_t *cert_der, uint32_t cert_len)

{

  const unsigned char  *bptr = NULL;

 

  X509  *x509 = NULL;

  bptr = (unsigned char *)cert_der;

  x509 = d2i_X509(NULL, &bptr, cert_len);               /*x509 structure is allocated here*/

  if (x509 == NULL)

  {

    syfer_log->ERR("DER to x509 converion failed");

    return RET_ERROR;

  }

  return RET_SUCCESS;

}

 

2.      Clean up the X509 structure

 

Void cleanup_x509()

{

  X509_free(x509);

}

 

Query:

When I call the cleanup_x509 function:

 

I get the memory crash

 

Backtrace:

Program terminated with signal 11, Segmentation fault.

#0  0x081e7748 in ASN1_STRING_free ()

#0  0x081e7748 in ASN1_STRING_free ()

#1  0x081e2b90 in ASN1_primitive_free ()

#2  0x081e2b7a in ASN1_primitive_free ()

#3  0x081e2c1a in asn1_item_combine_free ()

#4  0x081e2e5d in ASN1_template_free ()

#5  0x081e2d9e in asn1_item_combine_free ()

#6  0x081e2e5d in ASN1_template_free ()

#7  0x081e2d9e in asn1_item_combine_free ()

#8  0x081e2e93 in ASN1_item_free ()

#9  0x081defd7 in X509_free ()

#10 0x08052673 in CertificateRemote::cleanup_x509 (this=0x9bb55f0) at syfer/crypto/Certificate.cpp:309

 

What could be possible reason for the above crash ?

 

 

Thanks,

Sanjay

 


Reply | Threaded
Open this post in threaded view
|

RE: memory crash when calling " X509_free" function

Dave Thompson-5
In reply to this post by Sanjay Kumar (sanjaku5)

Almost certainly something corrupted in your heap. It could be that code between the create and the free

gets a pointer into a field/element in the X509 (like Subject name, or an individual AVA in Subject name,

or some particular extension, etc. etc.) and uses that pointer to store something it shouldn’t; or allocates

some other space on the same heap and and uses that pointer to store where it shouldn’t – often by

doing a strcpy or strcat of a value that’s longer than the space allocated; or you just have a completely

wrong pointer value (usually because uninitialized) that you store through. It could conceivably be

corruption that existed before your (parse and) allocate X509, but didn’t actually cause a failure until

after, but depending on your C library and it’s memory manager that’s usually less likely.

 

If your C library has any “malloc debugging” features turn them on, or if you have valgrind use that.

If not, see if you can port to a system that does. Failing that, you can try black-box debugging –

remove or reduce your code a chunk at a time to see if that “fixes” the problem – but heap corruption

bugs can easily “appear” and “vanish” as the size of your code changes even when you haven’t actually

fixed (or created!) the bug.

 

If you’re using C++ as appears, and you don’t already, although it’s a fair bit of work, you could try

replacing “raw” C-style pointers, arrays and strings with C++ std::string std::vector std::auto_ptr and so forth,

which protect against some possible overruns and bad pointers – but not all.

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Sanjay Kumar (sanjaku5)
Sent: Thursday, October 03, 2013 07:53
To: [hidden email]
Subject: *** Spam *** memory crash when calling " X509_free" function

 

<snip: method(?) which creates/parses X509 from DER and another which frees it and gets:>

I get the memory crash

 

Backtrace:

Program terminated with signal 11, Segmentation fault.

#0  0x081e7748 in ASN1_STRING_free ()

#0  0x081e7748 in ASN1_STRING_free ()

#1  0x081e2b90 in ASN1_primitive_free ()

#2  0x081e2b7a in ASN1_primitive_free ()

#3  0x081e2c1a in asn1_item_combine_free ()

#4  0x081e2e5d in ASN1_template_free ()

#5  0x081e2d9e in asn1_item_combine_free ()

#6  0x081e2e5d in ASN1_template_free ()

#7  0x081e2d9e in asn1_item_combine_free ()

#8  0x081e2e93 in ASN1_item_free ()

#9  0x081defd7 in X509_free ()

#10 0x08052673 in CertificateRemote::cleanup_x509 (this=0x9bb55f0) at syfer/crypto/Certificate.cpp:309

 

What could be possible reason for the above crash ?

 

 

Reply | Threaded
Open this post in threaded view
|

Re: memory crash when calling " X509_free" function

michel-60
In reply to this post by Sanjay Kumar (sanjaku5)
Could it be because of a misuse of X509_dup() or CRYPTO_add( ..., 1, CRYPTO_LOCK_X509 )
in a copy constructor or an assignment operator ?

#10 0x08052673 in CertificateRemote::cleanup_x509 (this=0x9bb55f0) at syfer/crypto/Certificate.cpp:309

 

What could be possible reason for the above crash ?

 

Thanks,

Sanjay