Skip to content
Permalink
Browse files

Merge https://svn.apache.org/r1796343 from trunk:

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.
     [Yann Ylavic]


Submitted By: ylavic
Reviewed By: covener, ylavic, wrowe



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799229 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information...
covener committed Jun 19, 2017
1 parent ad581ce commit 3fdeae4ddcaae251ae99bdd4421ab14aac53a502
Showing with 13 additions and 14 deletions.
  1. +5 −0 CHANGES
  2. +0 −7 STATUS
  3. +8 −7 modules/ssl/ssl_engine_io.c
@@ -8,6 +8,11 @@ Changes with Apache 2.2.33
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.

*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
[Yann Ylavic]

*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
[Joe Orton]

7 STATUS
@@ -104,13 +104,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]

*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error(). [Yann Ylavic]
trunk patch: https://svn.apache.org/r1796343
2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ssl_error_page_ctx.diff
(function names and parameters changed a bit)
+1 covener, ylavic, wrowe

*) core: ap_get_basic_auth_pw deprecation
trunk patch: https://svn.apache.org/r1796348
2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ap_get_basic_auth_pw.diff
@@ -865,19 +865,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
sizeof(HTTP_ON_HTTPS_PORT) - 1, \
alloc)

static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
static void ssl_io_filter_disable(SSLConnRec *sslconn,
bio_filter_in_ctx_t *inctx)
{
bio_filter_in_ctx_t *inctx = f->ctx;
SSL_free(inctx->ssl);
sslconn->ssl = NULL;
inctx->ssl = NULL;
inctx->filter_ctx->pssl = NULL;
}

static apr_status_t ssl_io_filter_error(ap_filter_t *f,
static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
apr_bucket_brigade *bb,
apr_status_t status)
{
ap_filter_t *f = inctx->f;
SSLConnRec *sslconn = myConnConfig(f->c);
apr_bucket *bucket;
int send_eos = 1;
@@ -891,7 +892,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);

sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
ssl_io_filter_disable(sslconn, f);
ssl_io_filter_disable(sslconn, inctx);

/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
@@ -1407,7 +1408,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
* rather than have SSLEngine On configured.
*/
if ((status = ssl_io_filter_connect(inctx->filter_ctx)) != APR_SUCCESS) {
return ssl_io_filter_error(f, bb, status);
return ssl_io_filter_error(inctx, bb, status);
}

if (is_init) {
@@ -1443,7 +1444,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,

/* Handle custom errors. */
if (status != APR_SUCCESS) {
return ssl_io_filter_error(f, bb, status);
return ssl_io_filter_error(inctx, bb, status);
}

/* Create a transient bucket out of the decrypted data. */
@@ -1486,7 +1487,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
inctx->block = APR_BLOCK_READ;

if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) {
return ssl_io_filter_error(f, bb, status);
return ssl_io_filter_error(inctx, bb, status);
}

while (!APR_BRIGADE_EMPTY(bb)) {

0 comments on commit 3fdeae4

Please sign in to comment.
You can’t perform that action at this time.