details: http://hg.nginx.org/nginx/rev/2e8de3d81783
branches:
changeset: 7092:2e8de3d81783
user: Maxim Dounin <mdounin@mdounin.ru>
date: Tue Aug 22 17:36:12 2017 +0300
description:
SSL: fixed possible use-after-free in $ssl_server_name.

The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.

diffstat:

src/event/ngx_event_openssl.c | 23 ++++++++++++++++-------
1 files changed, 16 insertions(+), 7 deletions(-)

diffs (33 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3551,13 +3551,22 @@ ngx_ssl_get_server_name(ngx_connection_t
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

- const char *servername;
-
- servername = SSL_get_servername(c->ssl->connection,
- TLSEXT_NAMETYPE_host_name);
- if (servername) {
- s->data = (u_char *) servername;
- s->len = ngx_strlen(servername);
+ size_t len;
+ const char *name;
+
+ name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
+
+ if (name) {
+ len = ngx_strlen(name);
+
+ s->len = len;
+ s->data = ngx_pnalloc(pool, len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_memcpy(s->data, name, len);
+
return NGX_OK;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel