open62541 / open62541

Open source implementation of OPC UA (OPC Unified Architecture) aka IEC 62541 licensed under Mozilla Public License v2.0
http://open62541.org
Mozilla Public License 2.0
2.6k stars 1.25k forks source link

Segment violation closing secure channel using openssl #4304

Closed smitha-cgi closed 3 years ago

smitha-cgi commented 3 years ago

Description

I have an OPC server application which works flawlessly when running inside Visual Studio, but when running the release build sometimes when a session is closed the application crashes due to heap corruption. Using OpenSSL 1.1.1k and calling UA_Server_run_iterate(server, false) every 100ms from main application thread.

Background Information / Reproduction Steps

Happening randomly but regularly. Sessions are using Basic256Sha256, SignAndEncrypt with username/password authentication.

Trace log when working:

06/04/2021 20:16:43.682 : Connection 33276 | SecureChannel 4 | Sending response for RequestId 31 of type CloseSessionResponse
06/04/2021 20:16:43.733 : Connection 33276 | Activity on the socket
06/04/2021 20:16:43.734 : Connection 33276 | Received a packet.
06/04/2021 20:16:43.735 : Connection 33276 | SecureChannel 4 | Verifying chunk signature
06/04/2021 20:16:43.738 : Connection 33276 | SecureChannel 4 | Calculated padding size to be 7
06/04/2021 20:16:43.740 : Connection 33276 | SecureChannel 4 | Process a CLO
06/04/2021 20:16:43.741 : Connection 33276 | SecureChannel 4 | CloseSecureChannel
06/04/2021 20:16:43.842 : Connection 33276 | Activity on the socket
06/04/2021 20:16:43.847 : Connection 33276 | Closed

Trace log when not working:

06/04/2021 20:18:54.497 : Connection 572 | SecureChannel 8 | Sending response for RequestId 31 of type CloseSessionResponse
06/04/2021 20:18:54.597 : Connection 572 | Activity on the socket
06/04/2021 20:18:54.598 : Connection 572 | Received a packet.
06/04/2021 20:18:54.599 : Connection 572 | SecureChannel 8 | Verifying chunk signature
06/04/2021 20:18:54.600 : Connection 572 | SecureChannel 8 | Calculated padding size to be 7
06/04/2021 20:18:54.602 : Connection 572 | SecureChannel 8 | Process a CLO
06/04/2021 20:18:54.603 : Connection 572 | SecureChannel 8 | CloseSecureChannel
06/04/2021 20:18:54.682 : Termination "Segment Violation" caught. (Signal 11) 1

Call stack when crash occurs:

0037df54 77e0e4f3 0037df6c 0037dfbc 0037df6c ntdll!KiUserExceptionDispatcher+0xf
0037e454 77e0e0f3 0c235478 0c2354f4 50496350 ntdll!RtlpLowFragHeapFree+0xc5
0037e46c 755914ad 00460000 00000000 0bc050c0 ntdll!RtlFreeHeap+0x105
0037e480 7246ecfa 00460000 00000000 0bc050c0 kernel32!HeapFree+0x14
0037e494 5040697c 0bc050c0 50352ee1 0bc050c0 msvcr120!free+0x1a
0037e49c 50352ee1 0bc050c0 50494d40 00000155 libcrypto_1_1!CRYPTO_free+0x1c [p:\core\tools\openssl-1.1.1k\crypto\mem.c @ 312]
0037e4b0 5035d6f7 0c235478 00000000 0c2354f4 libcrypto_1_1!asn1_string_embed_free+0x21 [p:\core\tools\openssl-1.1.1k\crypto\asn1\asn1_lib.c @ 341]
0037e4c0 5035d45f 0c2354f4 50496350 00000000 libcrypto_1_1!asn1_primitive_free+0xc7 [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 204]
0037e4e0 5035d805 0c2354f4 00000000 00000000 libcrypto_1_1!asn1_item_embed_free+0x6f [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 115]
0037e504 5035d55a 0c2354f4 0c2354f4 0037e540 libcrypto_1_1!asn1_template_free+0xa5 [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 142]
0037e528 5035d3e0 504f0d58 00000000 00000000 libcrypto_1_1!asn1_item_embed_free+0x16a [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 110]
0037e538 5046ca0e 0c2354f0 504f0d6c 5044b152 libcrypto_1_1!ASN1_item_free+0x10 [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 20]
0037e544 5044b152 0c2354f0 504f0e04 0c13d7f8 libcrypto_1_1!X509_NAME_ENTRY_free+0xe [p:\core\tools\openssl-1.1.1k\crypto\x509\x_name.c @ 51]
0037e558 5046c944 0c13d878 502e4a11 0c2352b0 libcrypto_1_1!OPENSSL_sk_pop_free+0x22 [p:\core\tools\openssl-1.1.1k\crypto\stack\stack.c @ 368]
0037e570 5035d4e4 061562dc 504f0e04 061562dc libcrypto_1_1!x509_name_ex_free+0x24 [p:\core\tools\openssl-1.1.1k\crypto\x509\x_name.c @ 123]
0037e58c 5035d805 061562dc 5046c5f0 00000000 libcrypto_1_1!asn1_item_embed_free+0xf4 [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 83]
0037e5b0 5035d55a 061562dc 061562dc 0037e5f4 libcrypto_1_1!asn1_template_free+0xa5 [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 142]
0037e5d4 5035d805 504f118c 00000000 00001000 libcrypto_1_1!asn1_item_embed_free+0x16a [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 110]
0037e5f8 5035d55a 061562c0 0037e5f4 0037e634 libcrypto_1_1!asn1_template_free+0xa5 [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 142]
0037e61c 5035d3e0 504f10e0 5046dfa0 00000000 libcrypto_1_1!asn1_item_embed_free+0x16a [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 110]
0037e62c 5046e24e 061562c0 504f111c 013dbb17 libcrypto_1_1!ASN1_item_free+0x10 [p:\core\tools\openssl-1.1.1k\crypto\asn1\tasn_fre.c @ 20]
0037e638 013dbb17 061562c0 00491390 0037e65c libcrypto_1_1!X509_free+0xe [p:\core\tools\openssl-1.1.1k\crypto\x509\x_x509.c @ 109]
0037e648 013ddd5c 00491390 0037e678 00000000 opcserverua!UA_SecurityPolicy_Basic256Sha256+0x5d7
0037e65c 013ca63f 004c9280 0037e67c 013ae931 opcserverua!UA_SecureChannel_close+0xac [p:\core\tools\open62541\src\ua_securechannel.c @ 129]
0037e668 013ae931 00000000 004c9238 0037e694 opcserverua!removeSecureChannelCallback+0xf [p:\core\tools\open62541\src\server\ua_services_securechannel.c @ 22]
0037e67c 013c3114 06481590 013ca630 00000000 opcserverua!serverExecuteRepeatedCallback+0x11 [p:\core\tools\open62541\src\server\ua_server.c @ 673]
0037e6c8 013ade71 06481888 adfe6b79 00000c1f opcserverua!UA_Timer_process+0xb4 [p:\core\tools\open62541\src\ua_timer.c @ 183]
0037e70c 013a27d7 06481590 00000000 924675dc opcserverua!UA_Server_run_iterate+0x51 [p:\core\tools\open62541\src\server\ua_server.c @ 681]

Used CMake options:

UA_ENABLE_DA=1 UA_ENABLE_DISCOVERY=1 UA_ENABLE_ENCRYPTION=1 UA_ENABLE_ENCRYPTION_OPENSSL=1 UA_ENABLE_METHODCALLS=1 UA_ENABLE_NODEMANAGEMENT=1 UA_ENABLE_PARSING=1 UA_ENABLE_SUBSCRIPTIONS=1 UA_LOGLEVEL=100 UA_MULTITHREADING=0

Checklist

Please provide the following information:

smitha-cgi commented 3 years ago

Ignore this, code in the activateSession callback was causing memory corruption