You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/07 15:26:51 UTC
DO NOT REPLY [Bug 21370] New: -
If 'SSLVerifyClient' is configured a FreeMemoryRead occurs in the case of a MSI5.0 browser and enabled Keep-Alive
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21370>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21370
If 'SSLVerifyClient' is configured a FreeMemoryRead occurs in the case of a MSI5.0 browser and enabled Keep-Alive
Summary: If 'SSLVerifyClient' is configured a FreeMemoryRead
occurs in the case of a MSI5.0 browser and enabled Keep-
Alive
Product: Apache httpd-2.0
Version: 2.0.46
Platform: All
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: Hartmut.Keil@adnovum.ch
Description:
If 'SSLVerifyClient' is configured for some location, mod_ssl is starting a
re-negotiation of the SSLconnection in the function 'ssl_io_filter_connect(..)'
A MSIE Internet Explorer is handling that kind of re-negotiation in
the following way:
a) he is finishing the current handshake (see logfile)
b) afterwards he is starting a new handshake, now presenting a
client certificate
So the whole situation is handeld by mod_ssl in the following way:
1) mod_ssl is starting a re-negotiation
2) the client does not finish the handshake (see a) )
3) mod_ssl is freeing the SSL struct using 'SSLfree(..)'
(By that also the allocated BIO's will be freed)
4) the browser is starting a new handshake (see b) ), using the same
TCP connection (Keep-Alive is enabled) and so the already
freed SSL struct and BIO's will be used by mod_ssl
(Due to the fact that it is bound to the conn_rec struct)
I.e. mod_ssl is reading already freed memory.
We have proven is using a (purify Version 2002a.06.00 an Solaris 2.8)
Fix:
If the handshake is failing in 'ssl_io_filter_connect(..)' the connection
will be aborted.
Due to stability the pointer's to the BIOS will be reset in
in 'ssl_filter_io_shutdown(..)' and check in 'ssl_filter_write(..)'
We have tested the fix again with the same memory access checker.
Log-Message:
[Wed Jul 02 19:07:21 2003] [info] Requesting connection re-negotiation
[Wed Jul 02 19:07:21 2003] [info] Awaiting re-negotiation handshake
[Wed Jul 02 19:07:21 2003] [error] Re-negotiation handshake failed: Not accepted
by client!?
Diff:
diff -c -r1.2 -r1.3
*** ssl_engine_io.c 2003/04/16 14:14:39 1.2
--- ssl_engine_io.c 2003/07/03 11:36:24 1.3
***************
*** 780,789 ****
apr_size_t len)
{
ssl_filter_ctx_t *filter_ctx = f->ctx;
! bio_filter_out_ctx_t *outctx =
! (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);
! int res;
/* write SSL */
if (filter_ctx->pssl == NULL) {
return APR_EGENERAL;
--- 780,795 ----
apr_size_t len)
{
ssl_filter_ctx_t *filter_ctx = f->ctx;
! bio_filter_out_ctx_t *outctx = NULL;
! int res;
+ /* 2.7.2003/hk,mv: BIOS has been freed*/
+ if (filter_ctx->pbioWrite == NULL) {
+ return APR_EGENERAL;
+ }
+
+ outctx = (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);
+
/* write SSL */
if (filter_ctx->pssl == NULL) {
return APR_EGENERAL;
***************
*** 999,1004 ****
--- 1005,1014 ----
sslconn->ssl = NULL;
filter_ctx->pssl = NULL; /* so filters know we've been shutdown */
+ /* 2.7.2003/hk,mv: BIOS is freed reset the pointers*/
+ filter_ctx->pbioRead = NULL;
+ filter_ctx->pbioWrite = NULL;
+
return APR_SUCCESS;
}
***************
*** 1112,1117 ****
--- 1122,1129 ----
inctx->rc = APR_EGENERAL;
}
+ /* 2.7.2003/hk,mv: handshake failed, close the connection */
+ c->aborted=1;
return ssl_filter_io_shutdown(filter_ctx, c, 1);
}
***************
*** 1153,1158 ****
--- 1165,1172 ----
error ? error : "unknown");
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
+ /* 2.7.2003/hk,mv: no client cert, close the connection
*/
+ c->aborted=1;
return ssl_filter_io_shutdown(filter_ctx, c, 1);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org