]> granicus.if.org Git - apache/commitdiff
projects / apache / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 54b2a69)
* modules/ssl/ssl_util_ocsp.c (read_response): Ignore empty buckets in
authorJoe Orton <jorton@apache.org>
Fri, 31 May 2013 16:17:36 +0000 (16:17 +0000)
committerJoe Orton <jorton@apache.org>
Fri, 31 May 2013 16:17:36 +0000 (16:17 +0000)
  the brigade, which can be left over from line splitting.  Fixes case
  where the OCSP response was only partially read from the wire.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1488296 13f79535-47bb-0310-9956-ffa450edef68

CHANGES patch | blob | history
modules/ssl/ssl_util_ocsp.c patch | blob | history

diff --git a/CHANGES b/CHANGES
index c8fe9a5421ca0d6e8113302b1c5a658d321fbf69..9ad28d5830bb16e730abe08ac2d9ca2bc1c4b821 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Fix possible truncation of OCSP responses when reading from the
+     server.  [Joe Orton]
+
   *) mod_session_dbd: Make sure that dirty flag is respected when saving
      sessions, and ensure the session ID is changed each time the session
      changes. [Takashi Sato <takashi tks.st>, Graham Leggett]
diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
index e5c5e58da242db513bc8355f847c790c978a68e8..757df05f4095447379a32504dac2b8f7cab6cb72 100644 (file)
--- a/modules/ssl/ssl_util_ocsp.c
+++ b/modules/ssl/ssl_util_ocsp.c
@@ -236,7 +236,7 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c,
         apr_bucket *e = APR_BRIGADE_FIRST(bb);
 
         rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
-        if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) {
+        if (rv == APR_EOF) {
             ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984)
                           "OCSP response: got EOF");
             break;
@@ -246,6 +246,12 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c,
                           "error reading response from OCSP server");
             return NULL;
         }
+        if (len == 0) {
+            /* Ignore zero-length buckets (possible side-effect of
+             * line splitting). */
+            apr_bucket_delete(e);
+            continue;
+        }
         count += len;
         if (count > MAX_CONTENT) {
             ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01986)
Unnamed repository; edit this file 'description' to name the repository.