From 41cd334ad682676f9c1ff45518703b633e5b64e1 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sat, 2 Jun 2012 22:28:26 +0000 Subject: [PATCH] Avoid buffer overflow if one protocol string is too long, but at least one is not. Also add log messages numbers and avoid useless string dup. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1345599 13f79535-47bb-0310-9956-ffa450edef68 --- docs/log-message-tags/next-number | 2 +- modules/ssl/ssl_engine_io.c | 5 ++--- modules/ssl/ssl_engine_kernel.c | 4 +++- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index 1c127b0ee2..2c9fd9df4d 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2306 +2308 diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 205a4b3617..12c9c7fc2f 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1388,9 +1388,8 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, SSL_get0_next_proto_negotiated( inctx->ssl, &next_proto, &next_proto_len); ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, - "SSL NPN negotiated protocol: '%s'", - apr_pstrmemdup(f->c->pool, (const char*)next_proto, - next_proto_len)); + APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'", + next_proto_len, (const char*)next_proto); modssl_run_npn_proto_negotiated_hook( f->c, (const char*)next_proto, next_proto_len); inctx->npn_finished = 1; diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index cc25a6a0a0..bc9e26b92f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2189,7 +2189,7 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, /* If the protocol name is too long (the length must fit in one byte), * then log an error and skip it. */ if (length > 255) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307) "SSL NPN protocol name too long (length=%u): %s", length, string); continue; @@ -2213,6 +2213,8 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, for (i = 0; i < num_protos; ++i) { const char *string = APR_ARRAY_IDX(protos, i, const char*); apr_size_t length = strlen(string); + if (length > 255) + continue; *start = (unsigned char)length; ++start; memcpy(start, string, length * sizeof(unsigned char)); -- 2.40.0