Fix unchecked i2d_PrivateKey() return value causing size_t overflow and abort#619
Fix unchecked i2d_PrivateKey() return value causing size_t overflow and abort#619metsw24-max wants to merge 4 commits into
Conversation
|
@notroj any updates? |
|
How is it it possible to trigger the |
|
Done |
| ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02575) | ||
| "Reusing existing private key from %s on restart", | ||
| ppcb_arg.pkey_file); | ||
| ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, |
There was a problem hiding this comment.
this appears to be a noop apart from removing the APLOGNO()
There was a problem hiding this comment.
Reverted, that hunk slipped in by accident. Also dropped the leftover NULL check on ssl_asn1_table_set() further down, since with the assert it can't return NULL any more, so ssl_engine_pphrase.c is now unchanged from trunk.
| * cannot occur for a key which has already been loaded and used. */ | ||
| ap_assert(derlen > 0); | ||
|
|
||
| apr_size_t length = (apr_size_t)derlen; |
There was a problem hiding this comment.
C90 violation. Build with --enable-maintainer-mode
There was a problem hiding this comment.
Fixed, moved the declarations back above the statements. Compiles cleanly with -Wdeclaration-after-statement now.
The return value of i2d_PrivateKey() in ssl_asn1_table_set() is not validated before being assigned to an apr_size_t.
i2d_PrivateKey() returns an int and may return <= 0 on failure. This value is directly cast to apr_size_t, which can result in a large unsigned value when negative. This leads to excessive memory allocation attempts via ap_malloc()/ap_realloc(), causing the server to abort.
This patch introduces proper validation of the return value before casting, preventing invalid allocations.
Additionally, the caller in ssl_engine_pphrase.c is updated to handle NULL return values from ssl_asn1_table_set() to avoid NULL dereference.
Reproduction:
After fix: