From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 4 Oct 2019 15:36:55 +0000 (+0200)
Subject: BUG/MINOR: ssl: abort on sni_keytypes allocation failure
X-Git-Tag: v2.1-dev3~95
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28a8fce485a94b636f6905134509c1150690b60f;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: abort on sni_keytypes allocation failure

The ssl_sock_populate_sni_keytypes_hplr() function does not return an
error upon an allocation failure.

The process would probably crash during the configuration parsing if the
allocation fail since it tries to copy some data in the allocated
memory.

This patch could be backported as far as 1.5.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a957d3e9cd..c69cb6c8cc 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3040,7 +3040,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 
 #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
 
-static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root *sni_keytypes, int key_index)
+static int ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root *sni_keytypes, int key_index)
 {
 	struct sni_keytype *s_kt = NULL;
 	struct ebmb_node *node;
@@ -3060,6 +3060,9 @@ static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root
 		 * strncpy will cause sig_abrt errors under certain versions of gcc with -O2
 		 * See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60792
 		 */
+		if (!s_kt)
+			return -1;
+
 		memcpy(s_kt->name.key, trash.area, i+1);
 		s_kt->keytypes = 0;
 		ebst_insert(sni_keytypes, &s_kt->name);
@@ -3071,6 +3074,8 @@ static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root
 	/* Mark that this CN has the keytype of key_index via keytypes mask */
 	s_kt->keytypes |= 1<<key_index;
 
+	return 0;
+
 }
 
 #endif
@@ -3207,13 +3212,21 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
 	 *     keyindex = 0 | 1 | 4 = 5
 	 */
 	for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
+		int ret;
 
 		if (!ssl_sock_is_ckch_valid(&certs_and_keys[n]))
 			continue;
 
 		if (fcount) {
-			for (i = 0; i < fcount; i++)
-				ssl_sock_populate_sni_keytypes_hplr(sni_filter[i], &sni_keytypes_map, n);
+			for (i = 0; i < fcount; i++) {
+				ret = ssl_sock_populate_sni_keytypes_hplr(sni_filter[i], &sni_keytypes_map, n);
+				if (ret < 0) {
+					memprintf(err, "%sunable to allocate SSL context.\n",
+					          err && *err ? *err : "");
+					rv = 1;
+					goto end;
+				}
+			}
 		} else {
 			/* A lot of the following code is OpenSSL boilerplate for processing CN's and SAN's,
 			 * so the line that contains logic is marked via comments
@@ -3226,10 +3239,16 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
 				value = X509_NAME_ENTRY_get_data(entry);
 				if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
 					/* Important line is here */
-					ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
+					ret = ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
 
 					OPENSSL_free(str);
 					str = NULL;
+					if (ret < 0) {
+						memprintf(err, "%sunable to allocate SSL context.\n",
+						          err && *err ? *err : "");
+						rv = 1;
+						goto end;
+					}
 				}
 			}
 
@@ -3243,10 +3262,16 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
 					if (name->type == GEN_DNS) {
 						if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
 							/* Important line is here */
-							ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
+							ret = ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
 
 							OPENSSL_free(str);
 							str = NULL;
+							if (ret < 0) {
+								memprintf(err, "%sunable to allocate SSL context.\n",
+								          err && *err ? *err : "");
+								rv = 1;
+								goto end;
+							}
 						}
 					}
 				}