BUG/MINOR: acl: req_ssl_sni would randomly fail if a session ID is present

The wrong byte was checked for the session_id length in the payload. This
used to work when the session ID was absent because zero was found there,
but when a session ID is present, there is 1/256 chance that the inspected
data contains 0x20 (the actual session ID length), so it fails.

Thanks to Emmanuel Bézagu for reporting this bug.

This bug does not need backporting, it is 1.5 specific.

diff --git a/src/acl.c b/src/acl.c
index 6d4eed3d73333f2fe1bc3d2702634be882575c66..46307434cbf6982f959cbe4f911d278bd209b357 100644 (file)
--- a/src/acl.c
+++ b/src/acl.c
@@ -290,7 +290,7 @@ acl_fetch_req_ssl_ver(struct proxy *px, struct session *l4, void *l7, int dir,
  *     - uint24 length                                 (handshake message length)
  *     - ClientHello :
  *       - uint16 client_version             >= 0x0301 (TLSv1)
- *       - uint8 Random[32]
+ *       - uint8 Random[32]                  (4 first ones are timestamp)
  *       - SessionID :
  *         - uint8 session_id_len (0..32)              (SessionID len in bytes)
  *         - uint8 session_id[session_id_len]
@@ -370,7 +370,7 @@ acl_fetch_ssl_hello_sni(struct proxy *px, struct session *l4, void *l7, int dir,
        if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
                goto not_ssl_hello;
 
-       ext_len = data[35];
+       ext_len = data[34]; /* session_id_len */
        if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
                goto not_ssl_hello;