BUG/MAJOR: ssl: missing tests in ACL fetch functions
Baptiste Assmann observed a crash of 1.5-dev12 occuring when the ssl_sni
fetch was used with no SNI on the input connection and without a prior
has_sni check. A code review revealed several issues :
1) it was possible to call the has_sni and ssl_sni fetch functions with
a NULL data_ctx if the handshake fails or if the connection is aborted
during the handshake.
2) when no SNI is present, strlen() was called with a NULL parameter in
smp_fetch_ssl_sni().
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 91e7fee..4198339 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -782,6 +782,7 @@
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
smp->type = SMP_T_BOOL;
smp->data.uint = (l4->si[0].conn.data == &ssl_sock) &&
+ l4->si[0].conn.data_ctx &&
SSL_get_servername(l4->si[0].conn.data_ctx, TLSEXT_NAMETYPE_host_name) != NULL;
return 1;
#else
@@ -797,11 +798,13 @@
smp->flags = 0;
smp->type = SMP_T_CSTR;
- if (!l4 || l4->si[0].conn.data != &ssl_sock)
+ if (!l4 || !l4->si[0].conn.data_ctx || l4->si[0].conn.data != &ssl_sock)
return 0;
- /* data points to cookie value */
smp->data.str.str = (char *)SSL_get_servername(l4->si[0].conn.data_ctx, TLSEXT_NAMETYPE_host_name);
+ if (!smp->data.str.str)
+ return 0;
+
smp->data.str.len = strlen(smp->data.str.str);
return 1;
#else