[tomcat] branch main updated: 66035: Add NULL check on the SSL session reference

Wed, 27 Apr 2022 04:08:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new c8ecaa44f6 66035: Add NULL check on the SSL session reference
c8ecaa44f6 is described below

commit c8ecaa44f6a110873bd7bf8b3c2f08354e2900d8
Author: remm <r...@apache.org>
AuthorDate: Wed Apr 27 13:08:08 2022 +0200

    66035: Add NULL check on the SSL session reference
    
    Add NULL check on the SSL session reference in the Panama code before
    accessing the session id and creation time.
---
 .../org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java   | 7 ++++++-
 webapps/docs/changelog.xml                                         | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git 
a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
 
b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index e34759c913..52e0677144 100644
--- 
a/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ 
b/modules/openssl-java17/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -1568,6 +1568,9 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
                     var allocator = SegmentAllocator.ofScope(engineScope);
                     MemorySegment lenPointer = 
allocator.allocate(CLinker.C_POINTER);
                     var session = SSL_get_session(state.ssl);
+                    if (MemoryAddress.NULL.equals(session)) {
+                        return new byte[0];
+                    }
                     MemoryAddress sessionId = SSL_SESSION_get_id(session, 
lenPointer);
                     int length = MemoryAccess.getInt(lenPointer);
                     id = (length == 0) ? new byte[0] : 
sessionId.asSegment(length, engineScope).toByteArray();
@@ -1589,7 +1592,9 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
             synchronized (OpenSSLEngine.this) {
                 if (!destroyed) {
                     var session = SSL_get_session(state.ssl);
-                    creationTime = SSL_SESSION_get_time(session);
+                    if (!MemoryAddress.NULL.equals(session)) {
+                        creationTime = SSL_SESSION_get_time(session);
+                    }
                 }
             }
             return creationTime * 1000L;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3df044a28f..702914aadd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -144,6 +144,10 @@
         Tomcat will not be running on a JRE where these issues are present.
         (markt)
       </scode>
+      <fix>
+        <bug>66035</bug>: Add NULL check on the SSL session reference in the
+        Panama code before accessing the session id and creation time. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to