Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

Tue, 29 Dec 2009 13:57:49 -0800 

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
> On 23.11.2009 18:57, John Lightsey wrote:
> > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:

> Thanks again. I updated the patch:
> 
> http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch
> 
> The only changes are in ssl_engine_io.c, where the declaration of "char
> *reneg" is moved 4 times to the beginning of the function. Anything else
> you observed?

I received a report of segfaults caused by this patch.  They happen when
you have Apache proxy connections to a SSL destination.  IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0  0x0000000000454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
        actx = (ap_ctx *) 0x10a26070
        ss = (struct ssl_io_suck_st *) 0x0
        r = (request_rec *) 0x0
        rv = 0
        reneg = 0x0
        c = (conn_rec *) 0x0
#1  0x0000000000454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
        ssl = (SSL *) 0x10a26070
        c = (conn_rec *) 0x0
        s = (server_rec *) 0x0
        rc = 0
        reneg = 0x0
#2  0x000000000049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
        v1 = (void *) 0x10a25c28
        v2 = (void *) 0x107ccd88
        v3 = 4096
        v_rc = (void *) 0x7fff9869922c
        v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
        rc = 1
#3  0x00000000004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
        i = 0
        he = (ap_hook_entry *) 0x104f33b0
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
        rc = 0
#4  0x000000000046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
        rv = 0


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majord...@modssl.org

Reply via email to