Package: haproxy / 1.5.8-3+deb8u2

from-upstream/0001-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
From 8de4ecd5f55ee0d45b9cde587af13be980c7a891 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@haproxy.comw>
Date: Wed, 12 Nov 2014 17:35:37 +0100
Subject: [PATCH 1/9] BUG/MEDIUM: ssl: fix bad ssl context init can cause
 segfault in case of OOM.

Some SSL context's init functions errors were not handled and
can cause a segfault due to an incomplete SSL context
initialization.

This fix must be backported to 1.5.
(cherry picked from commit 5547615cdac377797ae351a2e024376dbf6d6963)
---
 src/ssl_sock.c | 44 ++++++++++++++++++++++++++++++++++----------
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f8bfbe758222..620609f2f445 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2040,15 +2040,29 @@ static int ssl_sock_init(struct connection *conn)
 			return -1;
 		}
 
-		SSL_set_connect_state(conn->xprt_ctx);
-		if (objt_server(conn->target)->ssl_ctx.reused_sess)
-			SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess);
-
 		/* set fd on SSL session context */
-		SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
+		if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+			SSL_free(conn->xprt_ctx);
+			conn->xprt_ctx = NULL;
+			conn->err_code = CO_ER_SSL_NO_MEM;
+			return -1;
+		}
 
 		/* set connection pointer */
-		SSL_set_app_data(conn->xprt_ctx, conn);
+		if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+			SSL_free(conn->xprt_ctx);
+			conn->xprt_ctx = NULL;
+			conn->err_code = CO_ER_SSL_NO_MEM;
+			return -1;
+		}
+
+		SSL_set_connect_state(conn->xprt_ctx);
+		if (objt_server(conn->target)->ssl_ctx.reused_sess) {
+			if(!SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess)) {
+				SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
+				objt_server(conn->target)->ssl_ctx.reused_sess = NULL;
+			}
+		}
 
 		/* leave init state and start handshake */
 		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
@@ -2065,13 +2079,23 @@ static int ssl_sock_init(struct connection *conn)
 			return -1;
 		}
 
-		SSL_set_accept_state(conn->xprt_ctx);
-
 		/* set fd on SSL session context */
-		SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
+		if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+			SSL_free(conn->xprt_ctx);
+			conn->xprt_ctx = NULL;
+			conn->err_code = CO_ER_SSL_NO_MEM;
+			return -1;
+		}
 
 		/* set connection pointer */
-		SSL_set_app_data(conn->xprt_ctx, conn);
+		if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+			SSL_free(conn->xprt_ctx);
+			conn->xprt_ctx = NULL;
+			conn->err_code = CO_ER_SSL_NO_MEM;
+			return -1;
+		}
+
+		SSL_set_accept_state(conn->xprt_ctx);
 
 		/* leave init state and start handshake */
 		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
-- 
2.1.3