From: Jim Jagielski <jim@apache.org>
Date: Tue, 20 Nov 2007 14:16:11 +0000 (+0000)
Subject:   *) mod_ssl: Prevent memory corruption of version string.
X-Git-Tag: 2.2.7~212
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59f0670dc633491cc9e9f338a6b1695955fa2cb7;p=thirdparty%2Fapache%2Fhttpd.git

  *) mod_ssl: Prevent memory corruption of version string.
     PR 43865 43334 [William Rowe, Joe Orton]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@596683 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index f288923fed0..69dc5db6c40 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.7
 
+  *) mod_ssl: Prevent memory corruption of version string.
+     PR 43865 43334 [William Rowe, Joe Orton]
+
   *) core: Avoid some unexpected connection closes by telling the client
      that the connection is not persistent if the MPM process handling
      the request is already exiting when the response header is built.
diff --git a/STATUS b/STATUS
index d2fe258d509..906546c6929 100644
--- a/STATUS
+++ b/STATUS
@@ -109,19 +109,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      niq says: done
      jim: +1
 
-   * mod_ssl: Don't use the pconf pool for allocating memory pointed by
-     a local static variable. PR 43865.
-     trunk:
-         http://svn.apache.org/viewvc?view=rev&revision=591384
-     2.2.x:
-        Trunk patch has a simple conflict due to name change of
-        a optional function variable, refreshed patch:
-        http://people.apache.org/~davi/ssl_engine_var_safe.patch
-     +1: davi, rpluem, jim
-     rpluem says: CHANGES patch at
-                  http://people.apache.org/~rpluem/patches/CHANGES-43334.diff
-
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 35d0b88bcd7..01d5b43bb95 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -500,7 +500,7 @@ static void ssl_register_hooks(apr_pool_t *p)
     ap_hook_insert_filter (ssl_hook_Insert_Filter, NULL,NULL, APR_HOOK_MIDDLE);
 /*    ap_hook_handler       (ssl_hook_Upgrade,       NULL,NULL, APR_HOOK_MIDDLE); */
 
-    ssl_var_register();
+    ssl_var_register(p);
 
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 7bb369c97b1..97d8d9a71cb 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -49,7 +49,7 @@ static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
 static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
 static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
 static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
-static char *ssl_var_lookup_ssl_version(apr_pool_t *pp, apr_pool_t *p, char *var);
+static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
 static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
 
 static int ssl_is_https(conn_rec *c)
@@ -58,12 +58,32 @@ static int ssl_is_https(conn_rec *c)
     return sslconn && sslconn->ssl;
 }
 
-void ssl_var_register(void)
+static const char var_interface[] = "mod_ssl/" MOD_SSL_VERSION;
+static char var_library_interface[] = SSL_LIBRARY_TEXT;
+static char *var_library = NULL;
+
+void ssl_var_register(apr_pool_t *p)
 {
+    char *cp, *cp2;
+
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
     APR_REGISTER_OPTIONAL_FN(ssl_ext_lookup);
-    return;
+
+    /* Perform once-per-process library version determination: */
+    var_library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
+
+    if ((cp = strchr(var_library, ' ')) != NULL) {
+        *cp = '/';
+        if ((cp2 = strchr(cp, ' ')) != NULL)
+            *cp2 = NUL;
+    }
+
+    if ((cp = strchr(var_library_interface, ' ')) != NULL) {
+        *cp = '/';
+        if ((cp2 = strchr(cp, ' ')) != NULL)
+            *cp2 = NUL;
+    }
 }
 
 /* This function must remain safe to use for a non-SSL connection. */
@@ -190,7 +210,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
      */
     if (result == NULL) {
         if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
-            result = ssl_var_lookup_ssl_version(s->process->pool, p, var+12);
+            result = ssl_var_lookup_ssl_version(p, var+12);
         else if (strcEQ(var, "SERVER_SOFTWARE"))
             result = ap_get_server_banner();
         else if (strcEQ(var, "API_VERSION")) {
@@ -262,8 +282,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
 
     ssl = sslconn->ssl;
     if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) {
-        result = ssl_var_lookup_ssl_version(c->base_server->process->pool,
-                                            p, var+8);
+        result = ssl_var_lookup_ssl_version(p, var+8);
     }
     else if (ssl != NULL && strcEQ(var, "PROTOCOL")) {
         result = (char *)SSL_get_version(ssl);
@@ -634,43 +653,19 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algke
     return;
 }
 
-static char *ssl_var_lookup_ssl_version(apr_pool_t *pp, apr_pool_t *p, char *var)
+static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
 {
-    static char interface[] = "mod_ssl/" MOD_SSL_VERSION;
-    static char library_interface[] = SSL_LIBRARY_TEXT;
-    static char *library = NULL;
-    char *result;
-  
-    if (!library) {
-        char *cp, *cp2;
-        library = apr_pstrdup(pp, SSL_LIBRARY_DYNTEXT);
-        if ((cp = strchr(library, ' ')) != NULL) {
-            *cp = '/';
-            if ((cp2 = strchr(cp, ' ')) != NULL)
-                *cp2 = NUL;
-        }
-        if ((cp = strchr(library_interface, ' ')) != NULL) {
-            *cp = '/';
-            if ((cp2 = strchr(cp, ' ')) != NULL)
-                *cp2 = NUL;
-        }
-    }
-
     if (strEQ(var, "INTERFACE")) {
-        result = apr_pstrdup(p, interface);
+        return apr_pstrdup(p, var_interface);
     }
     else if (strEQ(var, "LIBRARY_INTERFACE")) {
-        result = apr_pstrdup(p, library_interface);
+        return apr_pstrdup(p, var_library_interface);
     }
     else if (strEQ(var, "LIBRARY")) {
-        result = apr_pstrdup(p, library);
-    }
-    else {
-        result = NULL;
+        return apr_pstrdup(p, var_library);
     }
-    return result;
+    return NULL;
 }
-  
 
 const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
                            const char *oidnum)
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index b66e602311f..64ad36bef4a 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -648,7 +648,9 @@ void         ssl_die(void);
 void         ssl_log_ssl_error(const char *, int, int, server_rec *);
 
 /**  Variables  */
-void         ssl_var_register(void);
+
+/* Register variables for the lifetime of the process pool 'p'. */
+void         ssl_var_register(apr_pool_t *p);
 char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
 const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid);