SECURITY: CVE-2017-3169 (cve.mitre.org)

mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

Merge r1796343 from trunk:

mod_ssl: fix ctx passed to ssl_io_filter_error()

Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().

Submitted by: ylavic, covener
Reviewed by: covener, ylavic, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ddf722da2a2578a0fd836cd89ba895795a688562..1b815557a37759da07c2bb4885108f1c29468059 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -18,6 +18,9 @@ Changes with Apache 2.4.26
   *) core: EBCDIC fixes for interim responses with additional headers.
      [Eric Covener]
 
+  *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
+     to ssl_io_filter_error(). [Yann Ylavic]
+
   *) mod_env: when processing a 'SetEnv' directive, warn if the environment
      variable name includes a '='. It is likely a configuration error.
      PR 60249 [Christophe Jaillet]

diff --git a/STATUS b/STATUS
index 28add1d0f4283e204fc9240b7ab5fd55527615f7..1ce64c6b43bf03cd8c47718addf47b07bfc6ea9d 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -120,12 +120,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
-     to ssl_io_filter_error(). [Yann Ylavic]
-     trunk patch: http://svn.apache.org/r1796343
-     2.4.x patch: svn merge -c 1796343 ^/httpd/httpd/trunk . (modulo CHANGES)
-     +1: covener, ylavic, jim
-
   *) core: Deprecate ap_get_basic_auth_pw() and add 
      ap_get_basic_auth_components(). 
      trunk patch: http://svn.apache.org/r1796348

diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index b463e1ab0790e325648661ab46d0848ca98d21ae..d1f44e95105b2f18b3f56a7c963343bc2f6e6555 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -936,20 +936,21 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
  * establish an outgoing SSL connection. */
 #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1)
 
-static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
+static void ssl_io_filter_disable(SSLConnRec *sslconn,
+                                  bio_filter_in_ctx_t *inctx)
 {
-    bio_filter_in_ctx_t *inctx = f->ctx;
     SSL_free(inctx->ssl);
     sslconn->ssl = NULL;
     inctx->ssl = NULL;
     inctx->filter_ctx->pssl = NULL;
 }
 
-static apr_status_t ssl_io_filter_error(ap_filter_t *f,
+static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
                                         apr_bucket_brigade *bb,
                                         apr_status_t status,
                                         int is_init)
 {
+    ap_filter_t *f = inctx->f;
     SSLConnRec *sslconn = myConnConfig(f->c);
     apr_bucket *bucket;
     int send_eos = 1;
@@ -962,7 +963,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
                          "trying to send HTML error page");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
 
-            ssl_io_filter_disable(sslconn, f);
+            ssl_io_filter_disable(sslconn, inctx);
             f->c->keepalive = AP_CONN_CLOSE;
             if (is_init) {
                 sslconn->non_ssl_request = NON_SSL_SEND_REQLINE;
@@ -1513,7 +1514,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
      * rather than have SSLEngine On configured.
      */
     if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) {
-        return ssl_io_filter_error(f, bb, status, is_init);
+        return ssl_io_filter_error(inctx, bb, status, is_init);
     }
 
     if (is_init) {
@@ -1567,7 +1568,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
 
     /* Handle custom errors. */
     if (status != APR_SUCCESS) {
-        return ssl_io_filter_error(f, bb, status, 0);
+        return ssl_io_filter_error(inctx, bb, status, 0);
     }
 
     /* Create a transient bucket out of the decrypted data. */
@@ -1752,7 +1753,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
     inctx->block = APR_BLOCK_READ;
 
     if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) {
-        return ssl_io_filter_error(f, bb, status, 0);
+        return ssl_io_filter_error(inctx, bb, status, 0);
     }
 
     while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) {