From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Mon, 2 Dec 2013 18:33:26 +0000 (+0200)
Subject: Bug 3935: Invalid pointer dereference when peeking at origin server certificate
X-Git-Tag: SQUID_3_5_0_1~478
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b85f289dab2b9c67e6be51fa9793560badc1cc6;p=thirdparty%2Fsquid.git

Bug 3935: Invalid pointer dereference when peeking at origin server certificate

We must check request->clientConnectionManager pointer for validity before
dereferencing it.

This is a Measurement Factory project
---

diff --git a/src/FwdState.cc b/src/FwdState.cc
index 2e3f1d56b4..82fb20f04d 100644
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -713,17 +713,17 @@ FwdState::negotiateSSL(int fd)
                     if (Ssl::CertErrors *errs = static_cast<Ssl::CertErrors*>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)))
                         serverBump->sslErrors = cbdataReference(errs);
                 }
-            }
 
-            // For intercepted connections, set the host name to the server
-            // certificate CN. Otherwise, we just hope that CONNECT is using
-            // a user-entered address (a host name or a user-entered IP).
-            const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted();
-            if (request->flags.sslPeek && !isConnectRequest) {
-                if (X509 *srvX509 = errDetails->peerCert()) {
-                    if (const char *name = Ssl::CommonHostName(srvX509)) {
-                        request->SetHost(name);
-                        debugs(83, 3, HERE << "reset request host: " << name);
+                // For intercepted connections, set the host name to the server
+                // certificate CN. Otherwise, we just hope that CONNECT is using
+                // a user-entered address (a host name or a user-entered IP).
+                const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted();
+                if (request->flags.sslPeek && !isConnectRequest) {
+                    if (X509 *srvX509 = errDetails->peerCert()) {
+                        if (const char *name = Ssl::CommonHostName(srvX509)) {
+                            request->SetHost(name);
+                            debugs(83, 3, HERE << "reset request host: " << name);
+                        }
                     }
                 }
             }
@@ -964,7 +964,8 @@ FwdState::initiateSSL()
         // unless it was the CONNECT request with a user-typed address.
         const char *hostname = request->GetHost();
         const bool hostnameIsIp = request->GetHostIsNumeric();
-        const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted();
+        const bool isConnectRequest = request->clientConnectionManager.valid() &&
+                                      !request->clientConnectionManager->port->flags.isIntercepted();
         if (!request->flags.sslPeek || isConnectRequest)
             SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname);