Strange call stack, could it be problem in asio's usage of openssl?

Question

I have this strange call stack and I am stumped to understand why.

It seems to me that asio calls open ssl's read and then gets a negative return value (-37) .

Asio seems to then try to use it inside the memcpy function.

The function that causes this call stack is used hunderds of thousands of times without this error.

It happens only rarely, about once a week.

ulRead = (boost::asio::read(spCon->socket(), boost::asio::buffer(_requestHeader, _requestHeader.size()), boost::asio::transfer_at_least(_requestHeader.size()), error_));

Note that request header's size is exactly 3 bytes always.

Could anyone shed some light on possible reasons?

Note: I'm using boost asio 1.36

Here is the crashing call stack crash happens in memcpy because of the huge "count":

Answer 1

A quick look at evp_lib.c shows that it tries to pull a length from the cipher context, and in your case gets a Very Bad Value(tm). It then uses this value to copy a string (which does the memcpy). My guess is something is trashing your cipher, be it a thread safety problem, or a reading more bytes into a buffer than allowed.

Relevant source:

int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
{
int i=0,j;

if (type != NULL)
    {
    j=EVP_CIPHER_CTX_iv_length(c);
    OPENSSL_assert(j <= sizeof c->iv);
    i=ASN1_TYPE_set_octetstring(type,c->oiv,j);
    }
return(i);
}