Hello,
I am working on a bounds checking gcc(based on Richard Jones work)
with a low enough overhead that will make it acceptable in production code.
And i obtained openssh-3.2.2p1 with the view of testing the effectiveness
of my code detecting the recently reported vunerability,but my code fails
on with an error report of a use of memcpy with overlapping source and
destination regions. I have being able to narrow it down to a call to
EVP_CipherInit in cipher.c:224(function cipher_init).
I checked but couldn't find any man page of EVP_CipherInit.
I will appreciate if u can give me any info on the implementation of
EVP_CipherInit such as to explain this scenario.
Below are some information i hope will be useful.
Thanks
tunji
Debugging using ddd shows this error comes
up the 4th time this line is executed and the arguments to cipher_init
are
Breakpoint 5, cipher_init (cc=0x814ede0, cipher=0x813fc40, key=0x8189480
"?\2110\231?%\210??d?\222zv\236?6QO]", keylen=16, iv=0x8189420
"nf?^'oQo?V???????\f?W", ivlen=16, encrypt=1) at cipher.c:224
Below is the output i obtained running directly
[tjruwase at speedracer openssh-3.2.2p1]$ ./ssh tjruwase at minnow
Bounds Checking GCC v gcc-3.0-3.0 Copyright (C) 1995 Richard W.M. Jones
Bounds Checking comes with ABSOLUTELY NO WARRANTY. For details see file
`COPYING' that should have come with the source to this program.
Bounds Checking is free software, and you are welcome to redistribute it
under certain conditions. See the file `COPYING' for details.
For more information, set GCC_BOUNDS_OPTS to `-help'
<unknown>:0:Bounds error: in memcpy with 0x814edf8 and 0x814edf0 for 16,
source and destination objects overlap.
<unknown>:0: Pointer value: 0x814edf8
<unknown>:0: Object `send_context':
<unknown>:0: Address in memory: 0x814ede0 .. 0x814fe5f
<unknown>:0: Size: 4224 bytes
<unknown>:0: Element size: 1 bytes
<unknown>:0: Number of elements: 4224
<unknown>:0: Created at: packet.c, line 86
<unknown>:0: Storage class: static
Abort (core dumped)
[tjruwase at speedracer openssh-3.2.2p1]$
