From d017f113c0db0f99227a96e825d244c6e1e322ac Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 9 Apr 2012 09:24:11 +0200
Subject: [PATCH] BUG/MINOR: acl: req_ssl_sni would randomly fail if a session
 ID is present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The wrong byte was checked for the session_id length in the payload. This
used to work when the session ID was absent because zero was found there,
but when a session ID is present, there is 1/256 chance that the inspected
data contains 0x20 (the actual session ID length), so it fails.

Thanks to Emmanuel Bézagu for reporting this bug.

This bug does not need backporting, it is 1.5 specific.
---
 src/acl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/acl.c b/src/acl.c
index 6d4eed3d7..46307434c 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -290,7 +290,7 @@ acl_fetch_req_ssl_ver(struct proxy *px, struct session *l4, void *l7, int dir,
  *     - uint24 length                                 (handshake message length)
  *     - ClientHello :
  *       - uint16 client_version             >= 0x0301 (TLSv1)
- *       - uint8 Random[32]
+ *       - uint8 Random[32]                  (4 first ones are timestamp)
  *       - SessionID :
  *         - uint8 session_id_len (0..32)              (SessionID len in bytes)
  *         - uint8 session_id[session_id_len]
@@ -370,7 +370,7 @@ acl_fetch_ssl_hello_sni(struct proxy *px, struct session *l4, void *l7, int dir,
 	if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
 		goto not_ssl_hello;
 
-	ext_len = data[35];
+	ext_len = data[34]; /* session_id_len */
 	if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
 		goto not_ssl_hello;