From a0403e8220676ecc1272bb02b0aa99e8992b8ec9 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 30 May 2017 12:26:05 +0000 Subject: [PATCH] SECURITY: CVE-2017-3169 (cve.mitre.org) mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. Merge r1796343 from trunk: mod_ssl: fix ctx passed to ssl_io_filter_error() Consistently pass the expected bio_filter_in_ctx_t to ssl_io_filter_error(). Submitted by: ylavic, covener Reviewed by: covener, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ STATUS | 6 ------ modules/ssl/ssl_engine_io.c | 15 ++++++++------- 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index ddf722da2a..1b815557a3 100644 --- a/CHANGES +++ b/CHANGES @@ -18,6 +18,9 @@ Changes with Apache 2.4.26 *) core: EBCDIC fixes for interim responses with additional headers. [Eric Covener] + *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t + to ssl_io_filter_error(). [Yann Ylavic] + *) mod_env: when processing a 'SetEnv' directive, warn if the environment variable name includes a '='. It is likely a configuration error. PR 60249 [Christophe Jaillet] diff --git a/STATUS b/STATUS index 28add1d0f4..1ce64c6b43 100644 --- a/STATUS +++ b/STATUS @@ -120,12 +120,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t - to ssl_io_filter_error(). [Yann Ylavic] - trunk patch: http://svn.apache.org/r1796343 - 2.4.x patch: svn merge -c 1796343 ^/httpd/httpd/trunk . (modulo CHANGES) - +1: covener, ylavic, jim - *) core: Deprecate ap_get_basic_auth_pw() and add ap_get_basic_auth_components(). trunk patch: http://svn.apache.org/r1796348 diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index b463e1ab07..d1f44e9510 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -936,20 +936,21 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, * establish an outgoing SSL connection. */ #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1) -static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f) +static void ssl_io_filter_disable(SSLConnRec *sslconn, + bio_filter_in_ctx_t *inctx) { - bio_filter_in_ctx_t *inctx = f->ctx; SSL_free(inctx->ssl); sslconn->ssl = NULL; inctx->ssl = NULL; inctx->filter_ctx->pssl = NULL; } -static apr_status_t ssl_io_filter_error(ap_filter_t *f, +static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx, apr_bucket_brigade *bb, apr_status_t status, int is_init) { + ap_filter_t *f = inctx->f; SSLConnRec *sslconn = myConnConfig(f->c); apr_bucket *bucket; int send_eos = 1; @@ -962,7 +963,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, "trying to send HTML error page"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server); - ssl_io_filter_disable(sslconn, f); + ssl_io_filter_disable(sslconn, inctx); f->c->keepalive = AP_CONN_CLOSE; if (is_init) { sslconn->non_ssl_request = NON_SSL_SEND_REQLINE; @@ -1513,7 +1514,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, * rather than have SSLEngine On configured. */ if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status, is_init); + return ssl_io_filter_error(inctx, bb, status, is_init); } if (is_init) { @@ -1567,7 +1568,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, /* Handle custom errors. */ if (status != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status, 0); + return ssl_io_filter_error(inctx, bb, status, 0); } /* Create a transient bucket out of the decrypted data. */ @@ -1752,7 +1753,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, inctx->block = APR_BLOCK_READ; if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status, 0); + return ssl_io_filter_error(inctx, bb, status, 0); } while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) { -- 2.40.0