Skip to content

Fix unchecked i2d_PrivateKey() return value causing size_t overflow and abort#619

Closed
metsw24-max wants to merge 4 commits into
apache:trunkfrom
metsw24-max:mod_ssl-i2d-privatekey-overflow
Closed

Fix unchecked i2d_PrivateKey() return value causing size_t overflow and abort#619
metsw24-max wants to merge 4 commits into
apache:trunkfrom
metsw24-max:mod_ssl-i2d-privatekey-overflow

Conversation

@metsw24-max

Copy link
Copy Markdown

The return value of i2d_PrivateKey() in ssl_asn1_table_set() is not validated before being assigned to an apr_size_t.

i2d_PrivateKey() returns an int and may return <= 0 on failure. This value is directly cast to apr_size_t, which can result in a large unsigned value when negative. This leads to excessive memory allocation attempts via ap_malloc()/ap_realloc(), causing the server to abort.

This patch introduces proper validation of the return value before casting, preventing invalid allocations.

Additionally, the caller in ssl_engine_pphrase.c is updated to handle NULL return values from ssl_asn1_table_set() to avoid NULL dereference.

Reproduction:

  • Force i2d_PrivateKey() to return -1
  • Apache attempts to allocate a huge buffer and aborts

After fix:

  • Failure is handled gracefully
  • No crash occurs

@metsw24-max

Copy link
Copy Markdown
Author

@notroj any updates?

@notroj

notroj commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator

How is it it possible to trigger the i2d_PrivateKey failure case here? I would assume this is some only possible in some pathological case, not a practical thing anybody will really it. So add an ap_assert() on the first invocation at most here.

@metsw24-max

Copy link
Copy Markdown
Author

Done
replaced the first-call error handling with ap_assert(derlen > 0) and removed the check on the second invocation as suggested.

Comment thread modules/ssl/ssl_engine_pphrase.c Outdated
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02575)
"Reusing existing private key from %s on restart",
ppcb_arg.pkey_file);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this appears to be a noop apart from removing the APLOGNO()

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted, that hunk slipped in by accident. Also dropped the leftover NULL check on ssl_asn1_table_set() further down, since with the assert it can't return NULL any more, so ssl_engine_pphrase.c is now unchanged from trunk.

Comment thread modules/ssl/ssl_util.c Outdated
* cannot occur for a key which has already been loaded and used. */
ap_assert(derlen > 0);

apr_size_t length = (apr_size_t)derlen;

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

C90 violation. Build with --enable-maintainer-mode

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, moved the declarations back above the statements. Compiles cleanly with -Wdeclaration-after-statement now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants