Merge https://svn.apache.org/r1796343 from trunk:

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.
     [Yann Ylavic]


Submitted By: ylavic
Reviewed By: covener, ylavic, wrowe



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799229 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -8,6 +8,11 @@ Changes with Apache 2.2.33
      request headers, an attacker may be able to cause a segmentation fault,
      or to force ap_find_token() to return an incorrect value.
 
+  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+     mod_ssl may dereference a NULL pointer when third-party modules call
+     ap_hook_process_connection() during an HTTP request to an HTTPS port.
+     [Yann Ylavic]
+
   *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
      [Joe Orton]
 

STATUS

@@ -104,13 +104,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
-     to ssl_io_filter_error(). [Yann Ylavic]
-     trunk patch: https://svn.apache.org/r1796343
-     2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ssl_error_page_ctx.diff
-                  (function names and parameters changed a bit)
-     +1 covener, ylavic, wrowe
-
   *) core: ap_get_basic_auth_pw deprecation
      trunk patch: https://svn.apache.org/r1796348
      2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-ap_get_basic_auth_pw.diff

modules/ssl/ssl_engine_io.c

@@ -865,19 +865,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
                                sizeof(HTTP_ON_HTTPS_PORT) - 1, \
                                alloc)
 
-static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
+static void ssl_io_filter_disable(SSLConnRec *sslconn,
+                                  bio_filter_in_ctx_t *inctx)
 {
-    bio_filter_in_ctx_t *inctx = f->ctx;
     SSL_free(inctx->ssl);
     sslconn->ssl = NULL;
     inctx->ssl = NULL;
     inctx->filter_ctx->pssl = NULL;
 }
 
-static apr_status_t ssl_io_filter_error(ap_filter_t *f,
+static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
                                         apr_bucket_brigade *bb,
                                         apr_status_t status)
 {
+    ap_filter_t *f = inctx->f;
     SSLConnRec *sslconn = myConnConfig(f->c);
     apr_bucket *bucket;
     int send_eos = 1;
@@ -891,7 +892,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
             ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);
 
             sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
-            ssl_io_filter_disable(sslconn, f);
+            ssl_io_filter_disable(sslconn, inctx);
 
             /* fake the request line */
             bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
@@ -1407,7 +1408,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
      * rather than have SSLEngine On configured.
      */
     if ((status = ssl_io_filter_connect(inctx->filter_ctx)) != APR_SUCCESS) {
-        return ssl_io_filter_error(f, bb, status);
+        return ssl_io_filter_error(inctx, bb, status);
     }
 
     if (is_init) {
@@ -1443,7 +1444,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
 
     /* Handle custom errors. */
     if (status != APR_SUCCESS) {
-        return ssl_io_filter_error(f, bb, status);
+        return ssl_io_filter_error(inctx, bb, status);
     }
 
     /* Create a transient bucket out of the decrypted data. */
@@ -1486,7 +1487,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
     inctx->block = APR_BLOCK_READ;
 
     if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) {
-        return ssl_io_filter_error(f, bb, status);
+        return ssl_io_filter_error(inctx, bb, status);
     }
 
     while (!APR_BRIGADE_EMPTY(bb)) {