On Wed, Jul 16, 2003 at 11:21:38AM -0400, Jeff Trawick wrote:
> I turned on SSLVerifyClient and my client wasn't set up properly and I
> started getting server segfaults because we try to read on the
> connection after some SSL-related data has been cleaned up.
>
> #2 0x8091753 in ssl_io_filter_input (f=0x825d760, bb=0x825f440,
> mode=AP_MODE_GETLINE, block=APR_BLOCK_READ,
> readbytes=0) at ssl_engine_io.c:1231
>
> 1231 if ((status = ssl_io_filter_connect(inctx->filter_ctx)) !=
> APR_SUCCESS) {
>
> (gdb) p inctx->filter_ctx
> $1 = (ssl_filter_ctx_t *) 0x0
>
> I haven't tried very hard to see how inctx->filter_ctx can get cleared,
> but first I wonder about the big picture: Is continued I/O reasonabe
> after the negotiation failure? It *seems* like the clients I'm playing
> with (wget, Mozilla) have given up at that point anyway.
>
> If it isn't reasonable, then c->aborted should be set.
I agree it's not reasonable; the SSL alert has been sent so nothing more
should be done. That patch was necessary but not sufficient to cure the
segfaults for me in this case - I also needed the below change. Do you
want to check these in together?
* ssl_engine_io.c (ssl_filter_write, ssl_io_filter_output): Don't
dereference the BIOs in filter_ctx when filter_ctx->pssl is NULL.
Index: ssl_engine_io.c
===================================================================
RCS file: /store/cvs/root/httpd-2.0/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.109
diff -u -p -r1.109 ssl_engine_io.c
--- ssl_engine_io.c 22 May 2003 19:41:32 -0000 1.109
+++ ssl_engine_io.c 17 Jul 2003 09:54:03 -0000
@@ -780,8 +780,7 @@ static apr_status_t ssl_filter_write(ap_
apr_size_t len)
{
ssl_filter_ctx_t *filter_ctx = f->ctx;
- bio_filter_out_ctx_t *outctx =
- (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr);
+ bio_filter_out_ctx_t *outctx;
int res;
/* write SSL */
@@ -789,6 +788,7 @@ static apr_status_t ssl_filter_write(ap_
return APR_EGENERAL;
}
+ outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
if (res < 0) {
@@ -1362,8 +1362,7 @@ static apr_status_t ssl_io_filter_output
{
apr_status_t status = APR_SUCCESS;
ssl_filter_ctx_t *filter_ctx = f->ctx;
- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
- (filter_ctx->pbioRead->ptr);
+ bio_filter_in_ctx_t *inctx;
if (f->c->aborted) {
apr_brigade_cleanup(bb);
@@ -1375,6 +1374,7 @@ static apr_status_t ssl_io_filter_output
return ap_pass_brigade(f->next, bb);
}
+ inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
/* When we are the writer, we must initialize the inctx
* mode so that we block for any required ssl input, because
* output filtering is always nonblocking.
