From: Christos Tsantilas Date: Thu, 29 Sep 2016 17:14:00 +0000 (+1300) Subject: Bug 4581: Secure ICAP segfault in checkForMissingCertificates X-Git-Tag: SQUID_4_0_15~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19ed078fbca5f542c3a570e181954ca67e35ce42;p=thirdparty%2Fsquid.git Bug 4581: Secure ICAP segfault in checkForMissingCertificates The Security::PeerConnector::request member is NULL in the case of secure ICAP. This patch checks if this member is NULL before using it. Also fixes Security::PeerConnector to send to cert validator the correct domain name. Curretly sends the host name from the HttpRequest object, which is not correct not only for secure ICAP cases (where this object does not exist), but also for the cases where squid connecting to a remote proxy using TLS. This is a Measurement Factory project --- diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc index a964f7909e..24b6f5b948 100644 --- a/src/security/PeerConnector.cc +++ b/src/security/PeerConnector.cc @@ -208,7 +208,8 @@ Security::PeerConnector::sslFinalized() // Ssl::CertValidationRequest object used only to pass data to // Ssl::CertValidationHelper::submit method. validationRequest.ssl = session.get(); - validationRequest.domainName = request->url.host(); + SBuf *dName = (SBuf *)SSL_get_ex_data(session.get(), ssl_ex_index_server); + validationRequest.domainName = dName->c_str(); if (Security::CertErrors *errs = static_cast(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors))) // validationRequest disappears on return so no need to cbdataReference validationRequest.errors = errs; @@ -249,7 +250,11 @@ Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointe return; } - debugs(83,5, request->url.host() << " cert validation result: " << validationResponse->resultCode); + if (Debug::Enabled(83, 5)) { + Security::SessionPointer ssl(fd_table[serverConnection()->fd].ssl); + SBuf *server = static_cast(SSL_get_ex_data(ssl.get(), ssl_ex_index_server)); + debugs(83,5, *server << " cert validation result: " << validationResponse->resultCode); + } if (validationResponse->resultCode == ::Helper::Error) { if (Security::CertErrors *errs = sslCrtvdCheckForErrors(*validationResponse, errDetails)) { @@ -565,7 +570,7 @@ Security::PeerConnector::startCertDownloading(SBuf &url) "Security::PeerConnector::certDownloadingDone", PeerConnectorCertDownloaderDialer(&Security::PeerConnector::certDownloadingDone, this)); - const Downloader *csd = dynamic_cast(request->downloader.valid()); + const Downloader *csd = (request ? dynamic_cast(request->downloader.valid()) : nullptr); Downloader *dl = new Downloader(url, certCallback, csd ? csd->nestedLevel() + 1 : 1); AsyncJob::Start(dl); } @@ -619,7 +624,7 @@ Security::PeerConnector::checkForMissingCertificates() // certificate located in an SSL site which requires to download a // a missing certificate (... from an SSL site which requires to ...). - const Downloader *csd = request->downloader.get(); + const Downloader *csd = (request ? request->downloader.get() : nullptr); if (csd && csd->nestedLevel() >= MaxNestedDownloads) return false;