Commit 0c6feb8b authored by Joe Orton's avatar Joe Orton
Browse files

Prevent segfaults after SSL renegotiation failures. 

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag
after renegotiation failure.

* modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output):
Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL.
(ssl_filter_io_shutdown): Set aborted flag on abortive shutdown.

PR: 21370
Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch>
Cleaned up by: Jeff Trawick, Joe Orton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100720 13f79535-47bb-0310-9956-ffa450edef68
parent db063140

ssl_engine_io.c

+9 −4
Original line number Diff line number Diff line
@@ -780,8 +780,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, 
                                     apr_size_t len)

{

    ssl_filter_ctx_t *filter_ctx = f->ctx;

    bio_filter_out_ctx_t *outctx = 

           (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);

    bio_filter_out_ctx_t *outctx;

    int res;



    /* write SSL */
@@ -789,6 +788,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, 
        return APR_EGENERAL;

    }



    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;

    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);



    if (res < 0) {
@@ -1003,6 +1003,11 @@ static apr_status_t ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx, 
    sslconn->ssl = NULL;

    filter_ctx->pssl = NULL; /* so filters know we've been shutdown */



    if (abortive) {

        /* prevent any further I/O */

        c->aborted = 1;

    }



    return APR_SUCCESS;

}
@@ -1362,8 +1367,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, 
{

    apr_status_t status = APR_SUCCESS;

    ssl_filter_ctx_t *filter_ctx = f->ctx;

    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)

                                 (filter_ctx->pbioRead->ptr);

    bio_filter_in_ctx_t *inctx;



    if (f->c->aborted) {

        apr_brigade_cleanup(bb);
@@ -1375,6 +1379,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, 
        return ap_pass_brigade(f->next, bb);

    }



    inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;

    /* When we are the writer, we must initialize the inctx

     * mode so that we block for any required ssl input, because

     * output filtering is always nonblocking.

ssl_engine_kernel.c

+2 −0
Original line number Diff line number Diff line
@@ -706,6 +706,7 @@ int ssl_hook_Access(request_rec *r) 
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,

                             "Re-negotiation request failed");



                r->connection->aborted = 1;

                return HTTP_FORBIDDEN;

            }
@@ -724,6 +725,7 @@ int ssl_hook_Access(request_rec *r) 
                             "Re-negotiation handshake failed: "

                        "Not accepted by client!?");



                r->connection->aborted = 1;

                return HTTP_FORBIDDEN;

            }

        }