Mercurial > hg > nginx-quic
changeset 7092:2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 22 Aug 2017 17:36:12 +0300 |
parents | 82f0b8dcca27 |
children | acc2cddc7b45 |
files | src/event/ngx_event_openssl.c |
diffstat | 1 files changed, 16 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -3551,13 +3551,22 @@ ngx_ssl_get_server_name(ngx_connection_t { #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - const char *servername; - - servername = SSL_get_servername(c->ssl->connection, - TLSEXT_NAMETYPE_host_name); - if (servername) { - s->data = (u_char *) servername; - s->len = ngx_strlen(servername); + size_t len; + const char *name; + + name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); + + if (name) { + len = ngx_strlen(name); + + s->len = len; + s->data = ngx_pnalloc(pool, len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->data, name, len); + return NGX_OK; }