Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl.c @ 7092:2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 22 Aug 2017 17:36:12 +0300 |
parents | 82f0b8dcca27 |
children | 3482c069e050 6c52c99c475e |
comparison
equal
deleted
inserted
replaced
7091:82f0b8dcca27 | 7092:2e8de3d81783 |
---|---|
3549 ngx_int_t | 3549 ngx_int_t |
3550 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | 3550 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
3551 { | 3551 { |
3552 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 3552 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
3553 | 3553 |
3554 const char *servername; | 3554 size_t len; |
3555 | 3555 const char *name; |
3556 servername = SSL_get_servername(c->ssl->connection, | 3556 |
3557 TLSEXT_NAMETYPE_host_name); | 3557 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); |
3558 if (servername) { | 3558 |
3559 s->data = (u_char *) servername; | 3559 if (name) { |
3560 s->len = ngx_strlen(servername); | 3560 len = ngx_strlen(name); |
3561 | |
3562 s->len = len; | |
3563 s->data = ngx_pnalloc(pool, len); | |
3564 if (s->data == NULL) { | |
3565 return NGX_ERROR; | |
3566 } | |
3567 | |
3568 ngx_memcpy(s->data, name, len); | |
3569 | |
3561 return NGX_OK; | 3570 return NGX_OK; |
3562 } | 3571 } |
3563 | 3572 |
3564 #endif | 3573 #endif |
3565 | 3574 |