Browse code
- workarround for openssl kerberos malloc bug: openssl kerberos code in kssl.c uses libc malloc/free/calloc instead of the OPENSSL* versions (set using CRYPTO_set_mem_functions()). In ser ssl connections "move" between processes and so everything must be allocated in shared mem. If the wrong malloc function are called ser will eventually crash. This workarround tries to disable kerberos support each time a new SSL structure is created. For this fix to work is important to either use statically linked openssl or re-compile ser on the target machine (if openssl is linked dynamically then it must use the same compilation options as the machine on which ser is compiled). Bug reporterd by Atle Samuelsen <clona@cyberhouse.no>.
Andrei Pelinescu-Onciul authored on 26/01/2007 23:11:21Showing 1 changed files
| ... | ... |
@@ -8,6 +8,23 @@ ordered by numbers of ser versions to which they relate, |
| 8 | 8 |
beginning with the newest release. Issues related to |
| 9 | 9 |
operating systems are summarized in the bottom. |
| 10 | 10 |
-------------------------------------------------------------- |
| 11 |
+Desc: tls triggered crash on system with kerberos enabled openssl libs |
|
| 12 |
+Ser version: 0.10.x, 0.9.x |
|
| 13 |
+Reason: there is a bug in the openssl kerberos code (kssl.c): |
|
| 14 |
+ libc malloc/free/calloc are used instead of the OPENSSL |
|
| 15 |
+ versions. In ser ssl connections move between processes and |
|
| 16 |
+ if normal mallocs are used (instead of ser shm versions) a |
|
| 17 |
+ crash will occur eventually. |
|
| 18 |
+ Quick openssl kerberos support check: |
|
| 19 |
+ grep OPENSSL_NO_KRB5 openssl/opensslconf.h |
|
| 20 |
+ If the above command returns no result => openssl is compiled with |
|
| 21 |
+ kerberos support. |
|
| 22 |
+Workaround: use openssl versions not compiled with kerberos support or |
|
| 23 |
+ try a late ser 0.10.x version compiled on the target machine |
|
| 24 |
+ (its very important to compile against the same openssl library |
|
| 25 |
+ as the one on the target machine) |
|
| 26 |
+CVS status: fixed / workarround enabled |
|
| 27 |
+-------------------------------------------------------------- |
|
| 11 | 28 |
Desc: ser crashes on startup if a group is specified (-g or group=) |
| 12 | 29 |
Ser version: <=0.8.12 |
| 13 | 30 |
Reason: bad copy & paste :-) |