From: Eric Covener Date: Mon, 19 Jun 2017 16:52:00 +0000 (+0000) Subject: Merge https://svn.apache.org/r1796343 from trunk: X-Git-Tag: 2.2.33~6 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=2f52ae84967935d11dd686a3293820674009310f;p=thirdparty%2Fapache%2Fhttpd.git Merge https://svn.apache.org/r1796343 from trunk: *) SECURITY: CVE-2017-3169 (cve.mitre.org) mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. [Yann Ylavic] Submitted By: ylavic Reviewed By: covener, ylavic, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799229 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 9fe328d76c3..aea20c1e6c4 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,11 @@ Changes with Apache 2.2.33 request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. + *) SECURITY: CVE-2017-3169 (cve.mitre.org) + mod_ssl may dereference a NULL pointer when third-party modules call + ap_hook_process_connection() during an HTTP request to an HTTPS port. + [Yann Ylavic] + *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope. [Joe Orton] diff --git a/STATUS b/STATUS index 3c741568b9d..fef58fd72ce 100644 --- a/STATUS +++ b/STATUS @@ -104,13 +104,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t - to ssl_io_filter_error(). [Yann Ylavic] - trunk patch: https://svn.apache.org/r1796343 - 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ssl_error_page_ctx.diff - (function names and parameters changed a bit) - +1 covener, ylavic, wrowe - *) core: ap_get_basic_auth_pw deprecation trunk patch: https://svn.apache.org/r1796348 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ap_get_basic_auth_pw.diff diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index d6016d32ecd..c633be1ed28 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -865,19 +865,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, sizeof(HTTP_ON_HTTPS_PORT) - 1, \ alloc) -static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f) +static void ssl_io_filter_disable(SSLConnRec *sslconn, + bio_filter_in_ctx_t *inctx) { - bio_filter_in_ctx_t *inctx = f->ctx; SSL_free(inctx->ssl); sslconn->ssl = NULL; inctx->ssl = NULL; inctx->filter_ctx->pssl = NULL; } -static apr_status_t ssl_io_filter_error(ap_filter_t *f, +static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx, apr_bucket_brigade *bb, apr_status_t status) { + ap_filter_t *f = inctx->f; SSLConnRec *sslconn = myConnConfig(f->c); apr_bucket *bucket; int send_eos = 1; @@ -891,7 +892,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server); sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP; - ssl_io_filter_disable(sslconn, f); + ssl_io_filter_disable(sslconn, inctx); /* fake the request line */ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); @@ -1407,7 +1408,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, * rather than have SSLEngine On configured. */ if ((status = ssl_io_filter_connect(inctx->filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(inctx, bb, status); } if (is_init) { @@ -1443,7 +1444,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, /* Handle custom errors. */ if (status != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(inctx, bb, status); } /* Create a transient bucket out of the decrypted data. */ @@ -1486,7 +1487,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, inctx->block = APR_BLOCK_READ; if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(inctx, bb, status); } while (!APR_BRIGADE_EMPTY(bb)) {