From 20d15662a56b9402d3d34a18aba851c45c14b22e Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Wed, 21 Jul 2021 11:50:12 +0200 Subject: [PATCH] BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request Some ssl samples cause a segfault when the stream is not instantiated, for example during an invalid HTTP request. A new check is added to prevent the stream dereferencing if NULL. This is the list of the affected samples : - ssl_s_chain_der - ssl_s_der - ssl_s_i_dn - ssl_s_key_alg - ssl_s_notafter - ssl_s_notbefore - ssl_s_s_dn - ssl_s_serial - ssl_s_sha1 - ssl_s_sig_alg - ssl_s_version This bug can be reproduced easily by using one of these samples in a log-format string. Emit an invalid HTTP request with an HTTP client to trigger the crash. This bug has been reported in redmine issue 3913. This must be backported up to 2.2. (cherry picked from commit 5fcd428c35c45f7222b9aade0c0484fcdb558de9) Signed-off-by: Christopher Faulet (cherry picked from commit 73617f937e001514305a3ee5a259bf45a3f0961b) Signed-off-by: Christopher Faulet --- src/ssl_sample.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/ssl_sample.c b/src/ssl_sample.c index b2acbb8..4dafbca 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -101,7 +101,7 @@ smp_fetch_ssl_x_der(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -156,7 +156,7 @@ smp_fetch_ssl_x_chain_der(const struct arg *args, struct sample *smp, const char int i; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -219,7 +219,7 @@ smp_fetch_ssl_x_serial(const struct arg *args, struct sample *smp, const char *k SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); ssl = ssl_sock_get_ssl_object(conn); @@ -272,7 +272,7 @@ smp_fetch_ssl_x_sha1(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -323,7 +323,7 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -375,7 +375,7 @@ smp_fetch_ssl_x_i_dn(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -443,7 +443,7 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -495,7 +495,7 @@ smp_fetch_ssl_x_s_dn(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -592,7 +592,7 @@ smp_fetch_ssl_x_version(const struct arg *args, struct sample *smp, const char * SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); ssl = ssl_sock_get_ssl_object(conn); @@ -637,7 +637,7 @@ smp_fetch_ssl_x_sig_alg(const struct arg *args, struct sample *smp, const char * SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -694,7 +694,7 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char * SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); ssl = ssl_sock_get_ssl_object(conn); -- 1.7.10.4