You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2021/01/21 20:21:30 UTC
[tomcat] branch 8.5.x updated: Avoid possible infinite loop in
unwrap
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 7aab38f Avoid possible infinite loop in unwrap
7aab38f is described below
commit 7aab38f545cbac418edcc42874b791e45bf8a8f5
Author: remm <re...@apache.org>
AuthorDate: Thu Jan 21 21:18:44 2021 +0100
Avoid possible infinite loop in unwrap
As described in the testcase and debug info for 64771, an infinite loop
can occur if the buffers state changes concurrently to unwrap. The
capacity is set at the beginning of the method. If the last buffer
remaining becomes 0 for some reason, then idx will become equal to
endOffset and the code will loop endlessly, as long as
pendingReadableBytesInSSL returns > 0.
In that particular case, break the loop with an ISE that will allow
noticing the issue.
---
java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 5 +++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 10 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 3606acd..84990f3 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -19,6 +19,7 @@ engine.engineClosed=Engine is closed
engine.failedCipherSuite=Failed to enable cipher suite [{0}]
engine.inboundClose=Inbound closed before receiving peer's close_notify
engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}])
+engine.invalidDestinationBuffersState=The state of the destination buffers changed concurrently while unwrapping bytes
engine.noRestrictSessionCreation=OpenSslEngine does not permit restricting the engine to only resuming existing sessions
engine.noSSLContext=No SSL context
engine.noSession=SSL session ID not available
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index e48acb4..cdd0617 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -567,6 +567,11 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
}
while (pendingApp > 0) {
+ if (idx == endOffset) {
+ // Destination buffer state changed (no remaining space although
+ // capacity is still available), so break loop with an error
+ throw new IllegalStateException(sm.getString("engine.invalidDestinationBuffersState"));
+ }
// Write decrypted data to dsts buffers
while (idx < endOffset) {
ByteBuffer dst = dsts[idx];
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3861161..937e544 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -175,6 +175,10 @@
<bug>65001</bug>: Fix error handling for exceptions throw from calls
to <code>ReadListener</code> and <code>WriteListener</code>. (markt)
</fix>
+ <fix>
+ Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
+ when the destination buffers state is changed concurrently. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org