Avoid buffer overflow if one protocol string is too long, but at least

author Stefan Fritsch <sf@apache.org>

Sat, 2 Jun 2012 22:28:26 +0000 (22:28 +0000)

committer Stefan Fritsch <sf@apache.org>

Sat, 2 Jun 2012 22:28:26 +0000 (22:28 +0000)
author Stefan Fritsch <sf@apache.org>
Sat, 2 Jun 2012 22:28:26 +0000 (22:28 +0000)
committer Stefan Fritsch <sf@apache.org>
Sat, 2 Jun 2012 22:28:26 +0000 (22:28 +0000)
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number

index 1c127b0ee296bbd7681fce1c18cf3c82bf82e1d5..2c9fd9df4db07c4927438409cb7c878fb356cfca 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2306
+2308
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c

index 205a4b36170847393feef38c1391b4cedd40a229..12c9c7fc2fbec813ccc81109a41603dea18ea245 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1388,9 +1388,8 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
          SSL_get0_next_proto_negotiated(
              inctx->ssl, &next_proto, &next_proto_len);
          ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
-                      "SSL NPN negotiated protocol: '%s'",
-                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
-                                     next_proto_len));
+                      APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
+                      next_proto_len, (const char*)next_proto);
          modssl_run_npn_proto_negotiated_hook(
              f->c, (const char*)next_proto, next_proto_len);
          inctx->npn_finished = 1;
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index cc25a6a0a055439252ce6673cef6382b62610bd5..bc9e26b92f6e9d510a85d3e32cf97533512013e4 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2189,7 +2189,7 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
          /* If the protocol name is too long (the length must fit in one byte),
           * then log an error and skip it. */
          if (length > 255) {
-            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
                            "SSL NPN protocol name too long (length=%u): %s",
                            length, string);
              continue;
@@ -2213,6 +2213,8 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
      for (i = 0; i < num_protos; ++i) {
          const char *string = APR_ARRAY_IDX(protos, i, const char*);
          apr_size_t length = strlen(string);
+        if (length > 255)
+            continue;
          *start = (unsigned char)length;
          ++start;
          memcpy(start, string, length * sizeof(unsigned char));
author	Stefan Fritsch <sf@apache.org>
	Sat, 2 Jun 2012 22:28:26 +0000 (22:28 +0000)
committer	Stefan Fritsch <sf@apache.org>
	Sat, 2 Jun 2012 22:28:26 +0000 (22:28 +0000)
docs/log-message-tags/next-number		patch \| blob \| history
modules/ssl/ssl_engine_io.c		patch \| blob \| history
modules/ssl/ssl_engine_kernel.c		patch \| blob \| history