From: Jeff Trawick Date: Sat, 22 Nov 2014 14:51:01 +0000 (+0000) Subject: mod_ssl: Fix recognition of OCSP stapling responses that are encoded X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d5e090775f463cedb7a56e8216fe2b183cd2bad;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: Fix recognition of OCSP stapling responses that are encoded improperly or too large. The one byte "ok" flag stored with the response was accounted for in the wrong condition. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1641077 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 00f5887df05..a9621087584 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,9 @@ Changes with Apache 2.5.0 mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K. [Teguh , Yann Ylavic, Jeff Trawick] + *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded + improperly or too large. [Jeff Trawick] + *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an error when parsing or forwarding the response fails. [Yann Ylavic] diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index 81e95b41cad..2d417288213 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -210,13 +210,13 @@ static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx, BOOL ok, apr_pool_t *pool) { SSLModConfigRec *mc = myModConfig(s); - unsigned char resp_der[MAX_STAPLING_DER]; + unsigned char resp_der[MAX_STAPLING_DER]; /* includes one-byte flag + response */ unsigned char *p; int resp_derlen; BOOL rv; apr_time_t expiry; - resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL) + 1; + resp_derlen = i2d_OCSP_RESPONSE(rsp, NULL); if (resp_derlen <= 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01927) @@ -224,7 +224,7 @@ static BOOL stapling_cache_response(server_rec *s, modssl_ctx_t *mctx, return FALSE; } - if (resp_derlen > sizeof resp_der) { + if (resp_derlen + 1 > sizeof resp_der) { /* response + ok flag too big? */ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01928) "OCSP stapling response too big (%u bytes)", resp_derlen); return FALSE;