Prevent segfaults after SSL renegotiation failures.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.

* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.

PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100720 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 0124d822ddb58f9487721ba8c6df43fc365ac011..23f115c8f118ace55cfe1edc1c521ce7a770bcdd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
+     [Hartmut Keil <Hartmut.Keil@adnovum.ch>]
+
   *) ab: Overlong credentials given via command line no longer clobber
      the buffer. [André Malo]
 

diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 1760b534d3b2a3086c5b40bf55767ff0f5e05c6a..e7cbf96dd5a09e066ccd79e3fef8fcdd7c2145a4 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -780,8 +780,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
                                      apr_size_t len)
 {
     ssl_filter_ctx_t *filter_ctx = f->ctx;
-    bio_filter_out_ctx_t *outctx = 
-           (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);
+    bio_filter_out_ctx_t *outctx;
     int res;
 
     /* write SSL */
@@ -789,6 +788,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
         return APR_EGENERAL;
     }
 
+    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
     res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
 
     if (res < 0) {
@@ -1003,6 +1003,11 @@ static apr_status_t ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx,
     sslconn->ssl = NULL;
     filter_ctx->pssl = NULL; /* so filters know we've been shutdown */
 
+    if (abortive) {
+        /* prevent any further I/O */
+        c->aborted = 1;
+    }
+
     return APR_SUCCESS;
 }
 
@@ -1362,8 +1367,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
 {
     apr_status_t status = APR_SUCCESS;
     ssl_filter_ctx_t *filter_ctx = f->ctx;
-    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
-                                 (filter_ctx->pbioRead->ptr);
+    bio_filter_in_ctx_t *inctx;
 
     if (f->c->aborted) {
         apr_brigade_cleanup(bb);
@@ -1375,6 +1379,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
         return ap_pass_brigade(f->next, bb);
     }
 
+    inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
     /* When we are the writer, we must initialize the inctx
      * mode so that we block for any required ssl input, because
      * output filtering is always nonblocking.

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 18c987c10d7971d63310250825046ac0e592ca3c..a69ee37238535fb01a918d0d190cca93f6c0404d 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -706,6 +706,7 @@ int ssl_hook_Access(request_rec *r)
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
                              "Re-negotiation request failed");
 
+                r->connection->aborted = 1;
                 return HTTP_FORBIDDEN;
             }
 
@@ -724,6 +725,7 @@ int ssl_hook_Access(request_rec *r)
                              "Re-negotiation handshake failed: "
                         "Not accepted by client!?");
 
+                r->connection->aborted = 1;
                 return HTTP_FORBIDDEN;
             }
         }