This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push: new c8ecaa44f6 66035: Add NULL check on the SSL session reference c8ecaa44f6 is described below commit c8ecaa44f6a110873bd7bf8b3c2f08354e2900d8 Author: remm <r...@apache.org> AuthorDate: Wed Apr 27 13:08:08 2022 +0200 66035: Add NULL check on the SSL session reference Add NULL check on the SSL session reference in the Panama code before accessing the session id and creation time. --- .../org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java | 7 ++++++- webapps/docs/changelog.xml | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java index e34759c913..52e0677144 100644 --- a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java +++ b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java @@ -1568,6 +1568,9 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn var allocator = SegmentAllocator.ofScope(engineScope); MemorySegment lenPointer = allocator.allocate(CLinker.C_POINTER); var session = SSL_get_session(state.ssl); + if (MemoryAddress.NULL.equals(session)) { + return new byte[0]; + } MemoryAddress sessionId = SSL_SESSION_get_id(session, lenPointer); int length = MemoryAccess.getInt(lenPointer); id = (length == 0) ? new byte[0] : sessionId.asSegment(length, engineScope).toByteArray(); @@ -1589,7 +1592,9 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn synchronized (OpenSSLEngine.this) { if (!destroyed) { var session = SSL_get_session(state.ssl); - creationTime = SSL_SESSION_get_time(session); + if (!MemoryAddress.NULL.equals(session)) { + creationTime = SSL_SESSION_get_time(session); + } } } return creationTime * 1000L; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 3df044a28f..702914aadd 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -144,6 +144,10 @@ Tomcat will not be running on a JRE where these issues are present. (markt) </scode> + <fix> + <bug>66035</bug>: Add NULL check on the SSL session reference in the + Panama code before accessing the session id and creation time. (remm) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org