Prevent segfaults after SSL renegotiation failures.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Set aborted flag after renegotiation failure. * modules/ssl/ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output): Don't dereference BIOs in filter_ctx when filter_ctx->pssl is NULL. (ssl_filter_io_shutdown): Set aborted flag on abortive shutdown. PR: 21370 Submitted by: Hartmut Keil <Hartmut.Keil@adnovum.ch> Cleaned up by: Jeff Trawick, Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100720 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2003-07-21 12:02:40 +00:00
parent 6d5e39b8f7
commit eb49ea1f5c
3 changed files with 14 additions and 4 deletions
--- a/3
+++ b/3
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev

  [Remove entries to the current 2.0 section below, when backported]

+  *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
+     [Hartmut Keil <Hartmut.Keil@adnovum.ch>]
+
  *) ab: Overlong credentials given via command line no longer clobber
     the buffer. [Andr<64> Malo]

--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -780,8 +780,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
                                     apr_size_t len)
 {
    ssl_filter_ctx_t *filter_ctx = f->ctx;
-    bio_filter_out_ctx_t *outctx = 
-           (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);
+    bio_filter_out_ctx_t *outctx;
    int res;

    /* write SSL */
@@ -789,6 +788,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
        return APR_EGENERAL;
    }

+    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);

    if (res < 0) {
@@ -1003,6 +1003,11 @@ static apr_status_t ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx,
    sslconn->ssl = NULL;
    filter_ctx->pssl = NULL; /* so filters know we've been shutdown */

+    if (abortive) {
+        /* prevent any further I/O */
+        c->aborted = 1;
+    }
+
    return APR_SUCCESS;
 }

@@ -1362,8 +1367,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
 {
    apr_status_t status = APR_SUCCESS;
    ssl_filter_ctx_t *filter_ctx = f->ctx;
-    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
-                                 (filter_ctx->pbioRead->ptr);
+    bio_filter_in_ctx_t *inctx;

    if (f->c->aborted) {
        apr_brigade_cleanup(bb);
@@ -1375,6 +1379,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
        return ap_pass_brigade(f->next, bb);
    }

+    inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
    /* When we are the writer, we must initialize the inctx
     * mode so that we block for any required ssl input, because
     * output filtering is always nonblocking.
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -706,6 +706,7 @@ int ssl_hook_Access(request_rec *r)
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
                             "Re-negotiation request failed");

+                r->connection->aborted = 1;
                return HTTP_FORBIDDEN;
            }

@@ -724,6 +725,7 @@ int ssl_hook_Access(request_rec *r)
                             "Re-negotiation handshake failed: "
                        "Not accepted by client!?");

+                r->connection->aborted = 1;
                return HTTP_FORBIDDEN;
            }
        }