httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 21370] New: - If 'SSLVerifyClient' is configured a FreeMemoryRead occurs in the case of a MSI5.0 browser and enabled Keep-Alive
Date Mon, 07 Jul 2003 13:26:51 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21370>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21370

If 'SSLVerifyClient' is configured a FreeMemoryRead occurs in the case of a MSI5.0 browser
and enabled Keep-Alive

           Summary: If 'SSLVerifyClient' is configured a FreeMemoryRead
                    occurs in the case of a MSI5.0 browser and enabled Keep-
                    Alive
           Product: Apache httpd-2.0
           Version: 2.0.46
          Platform: All
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: Hartmut.Keil@adnovum.ch


Description: 
If 'SSLVerifyClient' is configured for some location, mod_ssl is starting a
re-negotiation of the SSLconnection in the function 'ssl_io_filter_connect(..)'
A MSIE Internet Explorer is handling that kind of re-negotiation in 
the following way:
a) he is finishing the current handshake (see logfile)
b) afterwards he is starting a new handshake, now presenting a 
   client certificate

So the whole situation is handeld by mod_ssl in the following way:
1) mod_ssl is starting a re-negotiation
2) the client does not finish the handshake (see a) )
3) mod_ssl is freeing the SSL struct using 'SSLfree(..)'
   (By that also the allocated BIO's will be freed)
4) the browser is starting a new handshake (see b) ), using the same
   TCP connection (Keep-Alive is enabled) and so the already 
   freed SSL struct and BIO's will be used by mod_ssl
   (Due to the fact that it is bound to the conn_rec struct)

I.e. mod_ssl is reading already freed memory. 
We have proven is using a (purify Version 2002a.06.00 an Solaris 2.8)


Fix:
If the handshake is failing in 'ssl_io_filter_connect(..)' the connection 
will be aborted. 
Due to stability the pointer's to the BIOS will be reset in 
in 'ssl_filter_io_shutdown(..)' and check in 'ssl_filter_write(..)'
We have tested the fix again with the same memory access checker.


Log-Message:
[Wed Jul 02 19:07:21 2003] [info] Requesting connection re-negotiation
[Wed Jul 02 19:07:21 2003] [info] Awaiting re-negotiation handshake
[Wed Jul 02 19:07:21 2003] [error] Re-negotiation handshake failed: Not accepted
by client!?

Diff:
diff -c -r1.2 -r1.3
*** ssl_engine_io.c     2003/04/16 14:14:39     1.2
--- ssl_engine_io.c     2003/07/03 11:36:24     1.3
***************
*** 780,789 ****
                                       apr_size_t len)
  {
      ssl_filter_ctx_t *filter_ctx = f->ctx;
!     bio_filter_out_ctx_t *outctx = 
!            (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);
!     int res;
  
      /* write SSL */
      if (filter_ctx->pssl == NULL) {
          return APR_EGENERAL;
--- 780,795 ----
                                       apr_size_t len)
  {
      ssl_filter_ctx_t *filter_ctx = f->ctx;
!       bio_filter_out_ctx_t *outctx = NULL;
!       int res;
  
+       /* 2.7.2003/hk,mv: BIOS has been freed*/
+       if (filter_ctx->pbioWrite == NULL) {
+               return APR_EGENERAL;
+       }
+ 
+     outctx = (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);
+ 
      /* write SSL */
      if (filter_ctx->pssl == NULL) {
          return APR_EGENERAL;
***************
*** 999,1004 ****
--- 1005,1014 ----
      sslconn->ssl = NULL;
      filter_ctx->pssl = NULL; /* so filters know we've been shutdown */
  
+       /* 2.7.2003/hk,mv: BIOS is freed reset the pointers*/
+       filter_ctx->pbioRead = NULL;
+       filter_ctx->pbioWrite = NULL;
+ 
      return APR_SUCCESS;
  }
  
***************
*** 1112,1117 ****
--- 1122,1129 ----
              inctx->rc = APR_EGENERAL;
          }
  
+               /* 2.7.2003/hk,mv: handshake failed, close the connection */
+               c->aborted=1;
          return ssl_filter_io_shutdown(filter_ctx, c, 1);
      }
  
***************
*** 1153,1158 ****
--- 1165,1172 ----
                           error ? error : "unknown");
              ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
  
+                       /* 2.7.2003/hk,mv: no client cert, close the connection
*/
+                       c->aborted=1;
              return ssl_filter_io_shutdown(filter_ctx, c, 1);
          }
      }

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message