Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7092:2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 22 Aug 2017 17:36:12 +0300 |
| parents | 82f0b8dcca27 |
| children | 3482c069e050 6c52c99c475e |
comparison
equal
deleted
inserted
replaced
| 7091:82f0b8dcca27 | 7092:2e8de3d81783 |
|---|---|
| 3549 ngx_int_t | 3549 ngx_int_t |
| 3550 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | 3550 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 3551 { | 3551 { |
| 3552 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 3552 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
| 3553 | 3553 |
| 3554 const char *servername; | 3554 size_t len; |
| 3555 | 3555 const char *name; |
| 3556 servername = SSL_get_servername(c->ssl->connection, | 3556 |
| 3557 TLSEXT_NAMETYPE_host_name); | 3557 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); |
| 3558 if (servername) { | 3558 |
| 3559 s->data = (u_char *) servername; | 3559 if (name) { |
| 3560 s->len = ngx_strlen(servername); | 3560 len = ngx_strlen(name); |
| 3561 | |
| 3562 s->len = len; | |
| 3563 s->data = ngx_pnalloc(pool, len); | |
| 3564 if (s->data == NULL) { | |
| 3565 return NGX_ERROR; | |
| 3566 } | |
| 3567 | |
| 3568 ngx_memcpy(s->data, name, len); | |
| 3569 | |
| 3561 return NGX_OK; | 3570 return NGX_OK; |
| 3562 } | 3571 } |
| 3563 | 3572 |
| 3564 #endif | 3573 #endif |
| 3565 | 3574 |