Changeset 7092:2e8de3d81783 in nginx


Ignore:
Timestamp:
08/22/17 14:36:12 (18 hours ago)
Author:
Maxim Dounin <mdounin@…>
Branch:
default
Tags:
tip
Message:

SSL: fixed possible use-after-free in $ssl_server_name.

The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/event/ngx_event_openssl.c

    r7091 r7092  
    35523552#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
    35533553
    3554     const char  *servername;
    3555 
    3556     servername = SSL_get_servername(c->ssl->connection,
    3557                                     TLSEXT_NAMETYPE_host_name);
    3558     if (servername) {
    3559         s->data = (u_char *) servername;
    3560         s->len = ngx_strlen(servername);
     3554    size_t       len;
     3555    const char  *name;
     3556
     3557    name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
     3558
     3559    if (name) {
     3560        len = ngx_strlen(name);
     3561
     3562        s->len = len;
     3563        s->data = ngx_pnalloc(pool, len);
     3564        if (s->data == NULL) {
     3565            return NGX_ERROR;
     3566        }
     3567
     3568        ngx_memcpy(s->data, name, len);
     3569
    35613570        return NGX_OK;
    35623571    }
Note: See TracChangeset for help on using the changeset viewer.