*) mod_ssl: Prevent memory corruption of version string.

author Jim Jagielski <jim@apache.org>

Tue, 20 Nov 2007 14:16:11 +0000 (14:16 +0000)

committer Jim Jagielski <jim@apache.org>

Tue, 20 Nov 2007 14:16:11 +0000 (14:16 +0000)
author Jim Jagielski <jim@apache.org>
Tue, 20 Nov 2007 14:16:11 +0000 (14:16 +0000)
committer Jim Jagielski <jim@apache.org>
Tue, 20 Nov 2007 14:16:11 +0000 (14:16 +0000)
diff --git a/CHANGES b/CHANGES

index f288923fed0c7d704739aacc06c79484b8f64d66..69dc5db6c4077c3045c8b371eaccba3bb5fa788a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
  Changes with Apache 2.2.7
  
+  *) mod_ssl: Prevent memory corruption of version string.
+     PR 43865 43334 [William Rowe, Joe Orton]
+
    *) core: Avoid some unexpected connection closes by telling the client
       that the connection is not persistent if the MPM process handling
       the request is already exiting when the response header is built.
diff --git a/STATUS b/STATUS

index d2fe258d509c68e1e1d33c29ba9166a50fe8036c..906546c6929fbd59b1b5edbbad77577e4564af00 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -109,19 +109,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
       niq says: done
       jim: +1
  
-   * mod_ssl: Don't use the pconf pool for allocating memory pointed by
-     a local static variable. PR 43865.
-     trunk:
-         http://svn.apache.org/viewvc?view=rev&revision=591384
-     2.2.x:
-        Trunk patch has a simple conflict due to name change of
-        a optional function variable, refreshed patch:
-        http://people.apache.org/~davi/ssl_engine_var_safe.patch
-     +1: davi, rpluem, jim
-     rpluem says: CHANGES patch at
-                  http://people.apache.org/~rpluem/patches/CHANGES-43334.diff
-
-
  
  PATCHES PROPOSED TO BACKPORT FROM TRUNK:
    [ New proposals should be added at the end of the list ]
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c

index 35d0b88bcd7d95ca55414e2aa1b798c5b64bd263..01d5b43bb95a87125932d57927a1a4ceb67b2f5a 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -500,7 +500,7 @@ static void ssl_register_hooks(apr_pool_t *p)
      ap_hook_insert_filter (ssl_hook_Insert_Filter, NULL,NULL, APR_HOOK_MIDDLE);
  /*    ap_hook_handler       (ssl_hook_Upgrade,       NULL,NULL, APR_HOOK_MIDDLE); */
  
-    ssl_var_register();
+    ssl_var_register(p);
  
      APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
      APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c

index 7bb369c97b111419747b327f1ed33b4bacb20626..97d8d9a71cb3c18120bfe5abdaca5da9da392f5e 100644 (file)
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -49,7 +49,7 @@ static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
  static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
  static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
  static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
-static char *ssl_var_lookup_ssl_version(apr_pool_t *pp, apr_pool_t *p, char *var);
+static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
  static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
  
  static int ssl_is_https(conn_rec *c)
@@ -58,12 +58,32 @@ static int ssl_is_https(conn_rec *c)
      return sslconn && sslconn->ssl;
  }
  
-void ssl_var_register(void)
+static const char var_interface[] = "mod_ssl/" MOD_SSL_VERSION;
+static char var_library_interface[] = SSL_LIBRARY_TEXT;
+static char *var_library = NULL;
+
+void ssl_var_register(apr_pool_t *p)
  {
+    char *cp, *cp2;
+
      APR_REGISTER_OPTIONAL_FN(ssl_is_https);
      APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
      APR_REGISTER_OPTIONAL_FN(ssl_ext_lookup);
-    return;
+
+    /* Perform once-per-process library version determination: */
+    var_library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
+
+    if ((cp = strchr(var_library, ' ')) != NULL) {
+        *cp = '/';
+        if ((cp2 = strchr(cp, ' ')) != NULL)
+            *cp2 = NUL;
+    }
+
+    if ((cp = strchr(var_library_interface, ' ')) != NULL) {
+        *cp = '/';
+        if ((cp2 = strchr(cp, ' ')) != NULL)
+            *cp2 = NUL;
+    }
  }
  
  /* This function must remain safe to use for a non-SSL connection. */
@@ -190,7 +210,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
       */
      if (result == NULL) {
          if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
-            result = ssl_var_lookup_ssl_version(s->process->pool, p, var+12);
+            result = ssl_var_lookup_ssl_version(p, var+12);
          else if (strcEQ(var, "SERVER_SOFTWARE"))
              result = ap_get_server_banner();
          else if (strcEQ(var, "API_VERSION")) {
@@ -262,8 +282,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
  
      ssl = sslconn->ssl;
      if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) {
-        result = ssl_var_lookup_ssl_version(c->base_server->process->pool,
-                                            p, var+8);
+        result = ssl_var_lookup_ssl_version(p, var+8);
      }
      else if (ssl != NULL && strcEQ(var, "PROTOCOL")) {
          result = (char *)SSL_get_version(ssl);
@@ -634,43 +653,19 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algke
      return;
  }
  
-static char *ssl_var_lookup_ssl_version(apr_pool_t *pp, apr_pool_t *p, char *var)
+static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
  {
-    static char interface[] = "mod_ssl/" MOD_SSL_VERSION;
-    static char library_interface[] = SSL_LIBRARY_TEXT;
-    static char *library = NULL;
-    char *result;
-  
-    if (!library) {
-        char *cp, *cp2;
-        library = apr_pstrdup(pp, SSL_LIBRARY_DYNTEXT);
-        if ((cp = strchr(library, ' ')) != NULL) {
-            *cp = '/';
-            if ((cp2 = strchr(cp, ' ')) != NULL)
-                *cp2 = NUL;
-        }
-        if ((cp = strchr(library_interface, ' ')) != NULL) {
-            *cp = '/';
-            if ((cp2 = strchr(cp, ' ')) != NULL)
-                *cp2 = NUL;
-        }
-    }
-
      if (strEQ(var, "INTERFACE")) {
-        result = apr_pstrdup(p, interface);
+        return apr_pstrdup(p, var_interface);
      }
      else if (strEQ(var, "LIBRARY_INTERFACE")) {
-        result = apr_pstrdup(p, library_interface);
+        return apr_pstrdup(p, var_library_interface);
      }
      else if (strEQ(var, "LIBRARY")) {
-        result = apr_pstrdup(p, library);
-    }
-    else {
-        result = NULL;
+        return apr_pstrdup(p, var_library);
      }
-    return result;
+    return NULL;
  }
-  
  
  const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
                             const char *oidnum)
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index b66e602311ff42ae5a0f0a7842bd3c4b1745bb6b..64ad36bef4abf6879acf54715c0ff51ac134c80d 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -648,7 +648,9 @@ void         ssl_die(void);
  void         ssl_log_ssl_error(const char *, int, int, server_rec *);
  
  /**  Variables  */
-void         ssl_var_register(void);
+
+/* Register variables for the lifetime of the process pool 'p'. */
+void         ssl_var_register(apr_pool_t *p);
  char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
  const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid);
author	Jim Jagielski <jim@apache.org>
	Tue, 20 Nov 2007 14:16:11 +0000 (14:16 +0000)
committer	Jim Jagielski <jim@apache.org>
	Tue, 20 Nov 2007 14:16:11 +0000 (14:16 +0000)
CHANGES		patch \| blob \| blame \| history
STATUS		patch \| blob \| blame \| history
modules/ssl/mod_ssl.c		patch \| blob \| blame \| history
modules/ssl/ssl_engine_vars.c		patch \| blob \| blame \| history
modules/ssl/ssl_private.h		patch \| blob \| blame \| history