[PATCH] Avoid using the result of i2d_SSL_SESSION when the session is invalid
Ruslan Ermilov
ru at nginx.com
Mon Jun 19 10:10:04 UTC 2017
On Mon, Jun 19, 2017 at 08:08:38AM +0200, Bart Warmerdam wrote:
> # HG changeset patch
> # User Bart Warmerdam <bartw at xs4all.nl>
> # Date 1497852211 -7200
> # Mon Jun 19 08:03:31 2017 +0200
> # Branch i2d_ssl_session_length
> # Node ID 079afb2cb4be3ef06d07e96d1a54cc359b971631
> # Parent d1816a2696de8c2faa1cd913a151e5f62a8620f3
> Make sure to also take into account the 'return 0' response of
> i2d_SSL_SESSION, which is possible when the session is not valid
A case of invalid session is already caught by checking the return
value of SSL_get0_session() just prior to calling i2d_SSL_SESSION()
in ngx_http_upstream_save_round_robin_peer_session() and
ngx_stream_upstream_save_round_robin_peer_session().
The ngx_ssl_new_session() function is passed as an argument to
SSL_CTX_sess_set_new_cb() that "sets the callback function, which
is automatically called whenever a new session was negotiated."
Do you think that it's possible for a session to be invalid in
either of these cases?
> diff -r d1816a2696de -r 079afb2cb4be src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Fri Jun 16 18:15:58 2017 +0300
> +++ b/src/event/ngx_event_openssl.c Mon Jun 19 08:03:31 2017 +0200
> @@ -2458,9 +2458,9 @@
>
> len = i2d_SSL_SESSION(sess, NULL);
>
> - /* do not cache too big session */
> -
> - if (len > (int) NGX_SSL_MAX_SESSION_SIZE) {
> + /* do not cache too big or invalid session */
> +
> + if (len > (int) NGX_SSL_MAX_SESSION_SIZE || len < 1) {
> return 0;
> }
>
> diff -r d1816a2696de -r 079afb2cb4be
> src/http/ngx_http_upstream_round_robin.c
> --- a/src/http/ngx_http_upstream_round_robin.c Fri Jun 16 18:15:58 2017
> +0300
> +++ b/src/http/ngx_http_upstream_round_robin.c Mon Jun 19 08:03:31 2017
> +0200
> @@ -755,9 +755,9 @@
>
> len = i2d_SSL_SESSION(ssl_session, NULL);
>
> - /* do not cache too big session */
> + /* do not cache too big or invalid session */
>
> - if (len > NGX_SSL_MAX_SESSION_SIZE) {
> + if (len > NGX_SSL_MAX_SESSION_SIZE || len < 1) {
> return;
> }
>
> diff -r d1816a2696de -r 079afb2cb4be
> src/stream/ngx_stream_upstream_round_robin.c
> --- a/src/stream/ngx_stream_upstream_round_robin.c Fri Jun 16
> 18:15:58 2017 +0300
> +++ b/src/stream/ngx_stream_upstream_round_robin.c Mon Jun 19
> 08:03:31 2017 +0200
> @@ -787,9 +787,9 @@
>
> len = i2d_SSL_SESSION(ssl_session, NULL);
>
> - /* do not cache too big session */
> + /* do not cache too big or invalid session */
>
> - if (len > NGX_SSL_MAX_SESSION_SIZE) {
> + if (len > NGX_SSL_MAX_SESSION_SIZE || len < 1) {
> return;
> }
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
--
Ruslan Ermilov
Join us at nginx.conf, Sep. 6-8, Portland, OR
https://www.nginx.com/nginxconf
More information about the nginx-devel
mailing list