modssl-users  

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

Rainer Jung
Fri, 01 Jan 2010 12:44:39 -0800

On 29.12.2009 22:57, John Lightsey wrote:

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:

On 23.11.2009 18:57, John Lightsey wrote:

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:



Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch

The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?


I received a report of segfaults caused by this patch.  They happen when
you have Apache proxy connections to a SSL destination.  IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0  0x0000000000454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
         actx = (ap_ctx *) 0x10a26070
         ss = (struct ssl_io_suck_st *) 0x0
         r = (request_rec *) 0x0
         rv = 0
         reneg = 0x0
         c = (conn_rec *) 0x0
#1  0x0000000000454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
         ssl = (SSL *) 0x10a26070
         c = (conn_rec *) 0x0
         s = (server_rec *) 0x0
         rc = 0
         reneg = 0x0
#2  0x000000000049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
         v1 = (void *) 0x10a25c28
         v2 = (void *) 0x107ccd88
         v3 = 4096
         v_rc = (void *) 0x7fff9869922c
         v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
         rc = 1
#3  0x00000000004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
         i = 0
         he = (ap_hook_entry *) 0x104f33b0
         ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
         rc = 0
#4  0x000000000046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
         rv = 0
Thank you for your feedback and the analysis. I could reproduce this and have updated the patch: 

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch
I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my tests. The code doesn't try to change/fix renegotiation behaviour for ssl on the client side when used as a proxy. 

As always: feedback welcome!

Regards,

Rainer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majord...@modssl.org