From: "Dr. Stephen Henson" To: Andy Grimm Cc: Stefan Fritsch , Kees Cook , Pierre Joye , "Steven M. Christey" , Daniel Stenberg , curl-security@haxx.se, secalert@redhat.com, security@debian.org, security@suse.de, security@ubuntu.com, Joe Orton , security@php.net, "Michael K. Johnson" , Kurt Roeckx Subject: Re: [PATCH] memory consumption (DoS) vulnerability involving libcurl Message-ID: <20100111011852.GA14391@openssl.org> ... I've attached a patch which uses an alternative technique. The main problem is that the ex_data free function pointer is removed when CRYPTO_cleanup_all_ex_data() is called. If the compression structure is cleaned up directly this problem is avoided: Index: crypto/comp/c_zlib.c =================================================================== RCS file: /v/openssl/cvs/openssl/crypto/comp/c_zlib.c,v retrieving revision 1.22 diff -u -r1.22 c_zlib.c --- crypto/comp/c_zlib.c 13 Dec 2008 17:19:40 -0000 1.22 +++ crypto/comp/c_zlib.c 8 Jan 2010 23:56:13 -0000 @@ -136,15 +136,6 @@ static int zlib_stateful_ex_idx = -1; -static void zlib_stateful_free_ex_data(void *obj, void *item, - CRYPTO_EX_DATA *ad, int ind,long argl, void *argp) - { - struct zlib_state *state = (struct zlib_state *)item; - inflateEnd(&state->istream); - deflateEnd(&state->ostream); - OPENSSL_free(state); - } - static int zlib_stateful_init(COMP_CTX *ctx) { int err; @@ -188,6 +179,12 @@ static void zlib_stateful_finish(COMP_CTX *ctx) { + struct zlib_state *state = + (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data, + zlib_stateful_ex_idx); + inflateEnd(&state->istream); + deflateEnd(&state->ostream); + OPENSSL_free(state); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data); } @@ -402,7 +399,7 @@ if (zlib_stateful_ex_idx == -1) zlib_stateful_ex_idx = CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, - 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); + 0,NULL,NULL,NULL,NULL); CRYPTO_w_unlock(CRYPTO_LOCK_COMP); if (zlib_stateful_ex_idx == -1) goto err; Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org