Welcome! Log In Create A New Profile

Re: [PATCH] Avoid using the result of i2d_SSL_SESSION when the session is invalid

Forum List Message List New Topic Print View

Maxim Dounin

June 19, 2017 11:00AM

Hello!

On Mon, Jun 19, 2017 at 04:09:43PM +0200, Bart Warmerdam wrote:

> According to the man-page of i2d_SSL_SESSION the result can be NULL or
> 0, but case the actual result can also be -1 in case of a failed
> CRYPTO_malloc. The call trace for this function is:
>
> Call chain:
> i2d_SSL_SESSION
> i2d_SSL_SESSION_ASN1
> ASN1_item_i2d
> asn1_item_flags_i2d
>
>
> The preprocessor output generates the following code:
>
> static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out,
> const ASN1_ITEM *it, int flags)
> {
> if (out && !*out) {

This condition cannot be true, as nginx uses preallocated buffer
for i2d_SSL_SESSION().

(Moreover, using a preallocated buffer is this is the only
approach documented in the i2d_SSL_SESSION() manual page, and the
only one actually available before OpenSSL 1.1.0.)

[...]

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] Avoid using the result of i2d_SSL_SESSION when the session is invalid	Bart Warmerdam	436	June 19, 2017 02:10AM
Re: [PATCH] Avoid using the result of i2d_SSL_SESSION when the session is invalid	ru@nginx.com	412	June 19, 2017 06:12AM
Re: [PATCH] Avoid using the result of i2d_SSL_SESSION when the session is invalid	Bart Warmerdam	308	June 19, 2017 10:10AM
Re: [PATCH] Avoid using the result of i2d_SSL_SESSION when the session is invalid	Maxim Dounin	371	June 19, 2017 11:00AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 324

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018