From 0c3d56362b9da4ee86ad5df66edc8bed90052025 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 31 May 2013 16:17:36 +0000 Subject: [PATCH] * modules/ssl/ssl_util_ocsp.c (read_response): Ignore empty buckets in the brigade, which can be left over from line splitting. Fixes case where the OCSP response was only partially read from the wire. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1488296 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/ssl/ssl_util_ocsp.c | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index c8fe9a5421..9ad28d5830 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Fix possible truncation of OCSP responses when reading from the + server. [Joe Orton] + *) mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes. [Takashi Sato , Graham Leggett] diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index e5c5e58da2..757df05f40 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -236,7 +236,7 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, apr_bucket *e = APR_BRIGADE_FIRST(bb); rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); - if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) { + if (rv == APR_EOF) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984) "OCSP response: got EOF"); break; @@ -246,6 +246,12 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, "error reading response from OCSP server"); return NULL; } + if (len == 0) { + /* Ignore zero-length buckets (possible side-effect of + * line splitting). */ + apr_bucket_delete(e); + continue; + } count += len; if (count > MAX_CONTENT) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01986) -- 2.40.0