You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2013/05/31 18:17:36 UTC

svn commit: r1488296 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_util_ocsp.c

Author: jorton
Date: Fri May 31 16:17:36 2013
New Revision: 1488296

URL: http://svn.apache.org/r1488296
Log:
* modules/ssl/ssl_util_ocsp.c (read_response): Ignore empty buckets in
  the brigade, which can be left over from line splitting.  Fixes case
  where the OCSP response was only partially read from the wire.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1488296&r1=1488295&r2=1488296&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri May 31 16:17:36 2013
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Fix possible truncation of OCSP responses when reading from the
+     server.  [Joe Orton]
+
   *) mod_session_dbd: Make sure that dirty flag is respected when saving
      sessions, and ensure the session ID is changed each time the session
      changes. [Takashi Sato <takashi tks.st>, Graham Leggett]

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1488296&r1=1488295&r2=1488296&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Fri May 31 16:17:36 2013
@@ -236,7 +236,7 @@ static OCSP_RESPONSE *read_response(apr_
         apr_bucket *e = APR_BRIGADE_FIRST(bb);
 
         rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
-        if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) {
+        if (rv == APR_EOF) {
             ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984)
                           "OCSP response: got EOF");
             break;
@@ -246,6 +246,12 @@ static OCSP_RESPONSE *read_response(apr_
                           "error reading response from OCSP server");
             return NULL;
         }
+        if (len == 0) {
+            /* Ignore zero-length buckets (possible side-effect of
+             * line splitting). */
+            apr_bucket_delete(e);
+            continue;
+        }
         count += len;
         if (count > MAX_CONTENT) {
             ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01986)