From eb49ea1f5cc031d77ea0ff5490269d9bb7fb4cf2 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mon, 21 Jul 2003 12:02:40 +0000 Subject: [PATCH] Prevent segfaults after SSL renegotiation failures. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag after renegotiation failure. * modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output): Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL. (ssl_filter_io_shutdown): Set aborted flag on abortive shutdown. PR: 21370 Submitted by: Hartmut Keil Cleaned up by: Jeff Trawick, Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100720 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/ssl/ssl_engine_io.c | 13 +++++++++---- modules/ssl/ssl_engine_kernel.c | 2 ++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 0124d822dd..23f115c8f1 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev [Remove entries to the current 2.0 section below, when backported] + *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370 + [Hartmut Keil ] + *) ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo] diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 1760b534d3..e7cbf96dd5 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -780,8 +780,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, apr_size_t len) { ssl_filter_ctx_t *filter_ctx = f->ctx; - bio_filter_out_ctx_t *outctx = - (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr); + bio_filter_out_ctx_t *outctx; int res; /* write SSL */ @@ -789,6 +788,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, return APR_EGENERAL; } + outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len); if (res < 0) { @@ -1003,6 +1003,11 @@ static apr_status_t ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx, sslconn->ssl = NULL; filter_ctx->pssl = NULL; /* so filters know we've been shutdown */ + if (abortive) { + /* prevent any further I/O */ + c->aborted = 1; + } + return APR_SUCCESS; } @@ -1362,8 +1367,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, { apr_status_t status = APR_SUCCESS; ssl_filter_ctx_t *filter_ctx = f->ctx; - bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *) - (filter_ctx->pbioRead->ptr); + bio_filter_in_ctx_t *inctx; if (f->c->aborted) { apr_brigade_cleanup(bb); @@ -1375,6 +1379,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, return ap_pass_brigade(f->next, bb); } + inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr; /* When we are the writer, we must initialize the inctx * mode so that we block for any required ssl input, because * output filtering is always nonblocking. diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 18c987c10d..a69ee37238 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -706,6 +706,7 @@ int ssl_hook_Access(request_rec *r) ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "Re-negotiation request failed"); + r->connection->aborted = 1; return HTTP_FORBIDDEN; } @@ -724,6 +725,7 @@ int ssl_hook_Access(request_rec *r) "Re-negotiation handshake failed: " "Not accepted by client!?"); + r->connection->aborted = 1; return HTTP_FORBIDDEN; } } -- 2.50.1