BUG/MAJOR: ssl: missing tests in ACL fetch functions

Baptiste Assmann observed a crash of 1.5-dev12 occuring when the ssl_sni
fetch was used with no SNI on the input connection and without a prior
has_sni check. A code review revealed several issues :
   1) it was possible to call the has_sni and ssl_sni fetch functions with
      a NULL data_ctx if the handshake fails or if the connection is aborted
      during the handshake.
   2) when no SNI is present, strlen() was called with a NULL parameter in
      smp_fetch_ssl_sni().

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 91e7feed56e25974d1ec8d4153d26931e4db7793..41983394ec9177193a55258791a1b88a57374002 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -782,6 +782,7 @@ smp_fetch_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int o
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
        smp->type = SMP_T_BOOL;
        smp->data.uint = (l4->si[0].conn.data == &ssl_sock) &&
+               l4->si[0].conn.data_ctx &&
                SSL_get_servername(l4->si[0].conn.data_ctx, TLSEXT_NAMETYPE_host_name) != NULL;
        return 1;
 #else
@@ -797,11 +798,13 @@ smp_fetch_ssl_sni(struct proxy *px, struct session *l4, void *l7, unsigned int o
        smp->flags = 0;
        smp->type = SMP_T_CSTR;
 
-       if (!l4 || l4->si[0].conn.data != &ssl_sock)
+       if (!l4 || !l4->si[0].conn.data_ctx || l4->si[0].conn.data != &ssl_sock)
                return 0;
 
-       /* data points to cookie value */
        smp->data.str.str = (char *)SSL_get_servername(l4->si[0].conn.data_ctx, TLSEXT_NAMETYPE_host_name);
+       if (!smp->data.str.str)
+               return 0;
+
        smp->data.str.len = strlen(smp->data.str.str);
        return 1;
 #else