mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 12:41:00 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: abort on sni_keytypes allocation failure

Browse Source 
The ssl_sock_populate_sni_keytypes_hplr() function does not return an
error upon an allocation failure.

The process would probably crash during the configuration parsing if the
allocation fail since it tries to copy some data in the allocated
memory.

This patch could be backported as far as 1.5.
This commit is contained in:
William Lallemand 2019-10-04 17:36:55 +02:00 committed by William Lallemand
parent 8ed5b96587
commit 28a8fce485
1 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/ssl_sock.c
View File

@ -3040,7 +3040,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root *sni_keytypes, int key_index)
static int ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root *sni_keytypes, int key_index)
{
struct sni_keytype *s_kt = NULL;
struct ebmb_node *node;
@ -3060,6 +3060,9 @@ static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root
* strncpy will cause sig_abrt errors under certain versions of gcc with -O2
* See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60792
*/
if (!s_kt)
return -1;
memcpy(s_kt->name.key, trash.area, i+1);
s_kt->keytypes = 0;
ebst_insert(sni_keytypes, &s_kt->name);
@ -3071,6 +3074,8 @@ static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root
/* Mark that this CN has the keytype of key_index via keytypes mask */
s_kt->keytypes |= 1<<key_index;
return 0;
}
#endif
@ -3207,13 +3212,21 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
* keyindex = 0 | 1 | 4 = 5
*/
for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
int ret;
if (!ssl_sock_is_ckch_valid(&certs_and_keys[n]))
continue;
if (fcount) {
for (i = 0; i < fcount; i++)
ssl_sock_populate_sni_keytypes_hplr(sni_filter[i], &sni_keytypes_map, n);
for (i = 0; i < fcount; i++) {
ret = ssl_sock_populate_sni_keytypes_hplr(sni_filter[i], &sni_keytypes_map, n);
if (ret < 0) {
memprintf(err, "%sunable to allocate SSL context.\n",
err && *err ? *err : "");
rv = 1;
goto end;
}
}
} else {
/* A lot of the following code is OpenSSL boilerplate for processing CN's and SAN's,
* so the line that contains logic is marked via comments
@ -3226,10 +3239,16 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
value = X509_NAME_ENTRY_get_data(entry);
if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
/* Important line is here */
ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
ret = ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
OPENSSL_free(str);
str = NULL;
if (ret < 0) {
memprintf(err, "%sunable to allocate SSL context.\n",
err && *err ? *err : "");
rv = 1;
goto end;
}
}
}
@ -3243,10 +3262,16 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
if (name->type == GEN_DNS) {
if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
/* Important line is here */
ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
ret = ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
OPENSSL_free(str);
str = NULL;
if (ret < 0) {
memprintf(err, "%sunable to allocate SSL context.\n",
err && *err ? *err : "");
rv = 1;
goto end;
}
}
}
}