[nginx] SSL: fixed possible use-after-free in $ssl_server_name.

Maxim Dounin mdounin at mdounin.ru
Tue Aug 22 14:40:38 UTC 2017


details:   http://hg.nginx.org/nginx/rev/2e8de3d81783
branches:  
changeset: 7092:2e8de3d81783
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue Aug 22 17:36:12 2017 +0300
description:
SSL: fixed possible use-after-free in $ssl_server_name.

The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.

diffstat:

 src/event/ngx_event_openssl.c |  23 ++++++++++++++++-------
 1 files changed, 16 insertions(+), 7 deletions(-)

diffs (33 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3551,13 +3551,22 @@ ngx_ssl_get_server_name(ngx_connection_t
 {
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 
-    const char  *servername;
-
-    servername = SSL_get_servername(c->ssl->connection,
-                                    TLSEXT_NAMETYPE_host_name);
-    if (servername) {
-        s->data = (u_char *) servername;
-        s->len = ngx_strlen(servername);
+    size_t       len;
+    const char  *name;
+
+    name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
+
+    if (name) {
+        len = ngx_strlen(name);
+
+        s->len = len;
+        s->data = ngx_pnalloc(pool, len);
+        if (s->data == NULL) {
+            return NGX_ERROR;
+        }
+
+        ngx_memcpy(s->data, name, len);
+
         return NGX_OK;
     }
 


More information about the nginx-devel mailing list