On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
On 23.11.2009 18:57, John Lightsey wrote:
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
Thanks again. I updated the patch:
http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch
The only changes are in ssl_engine_io.c, where the declaration of char
*reneg is moved 4 times to the beginning of the function. Anything else
you observed?
I received a report of segfaults caused by this patch. They happen when
you have Apache proxy connections to a SSL destination. IE:
RewriteRule ^/(.*) https://other_site.com/$1 [P]
The segfault happens at:
reneg = ap_ctx_get(c-client-ctx, ssl::reneg);
in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.
#0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:275
actx = (ap_ctx *) 0x10a26070
ss = (struct ssl_io_suck_st *) 0x0
r = (request_rec *) 0x0
rv = 0
reneg = 0x0
c = (conn_rec *) 0x0
#1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:394
ssl = (SSL *) 0x10a26070
c = (conn_rec *) 0x0
s = (server_rec *) 0x0
rc = 0
reneg = 0x0
#2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
v1 = (void *) 0x10a25c28
v2 = (void *) 0x107ccd88
v3 = 4096
v_rc = (void *) 0x7fff9869922c
v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
rc = 1
#3 0x004982db in ap_hook_call (hook=0x4bbb5a ap::buff::read)
at ap_hook.c:382
i = 0
he = (ap_hook_entry *) 0x104f33b0
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
rc = 0
#4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
rv = 0
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Managermajord...@modssl.org
