From: Joe Orton Date: Fri, 31 May 2013 16:17:36 +0000 (+0000) Subject: * modules/ssl/ssl_util_ocsp.c (read_response): Ignore empty buckets in X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=431370d04d2e1b0b8c513c9269555da780bf2ff1;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_util_ocsp.c (read_response): Ignore empty buckets in the brigade, which can be left over from line splitting. Fixes case where the OCSP response was only partially read from the wire. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1488296 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index c8fe9a5421c..9ad28d5830b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Fix possible truncation of OCSP responses when reading from the + server. [Joe Orton] + *) mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes. [Takashi Sato , Graham Leggett] diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index e5c5e58da24..757df05f409 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -236,7 +236,7 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, apr_bucket *e = APR_BRIGADE_FIRST(bb); rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); - if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) { + if (rv == APR_EOF) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984) "OCSP response: got EOF"); break; @@ -246,6 +246,12 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, "error reading response from OCSP server"); return NULL; } + if (len == 0) { + /* Ignore zero-length buckets (possible side-effect of + * line splitting). */ + apr_bucket_delete(e); + continue; + } count += len; if (count > MAX_CONTENT) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01986)