Diff - 9dc47c4cea5a5c38fb93978519e0c04f98be8631^! - haproxy

commit	9dc47c4cea5a5c38fb93978519e0c04f98be8631	[log] [tgz]
author	Dragan Dosen <ddosen@haproxy.com>	Mon May 04 09:07:28 2020 +0200
committer	Christopher Faulet <cfaulet@haproxy.com>	Mon May 25 08:22:22 2020 +0200
tree	cf34a447308434803ef512d2913a4eaf06b26083
parent	3b614335cf25a7081c25e0a789c932c5960f221c [diff] [blame]

BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()

After we call SSL_SESSION_get_id(), the length of the id in bytes is
stored in "len", which was never checked. This could cause unexpected
behavior when using the "ssl_fc_session_id" or "ssl_bc_session_id"
fetchers (eg. the result can be an empty value).

The issue was introduced with commit 105599c ("BUG/MEDIUM: ssl: fix
several bad pointer aliases in a few sample fetch functions").

This patch must be backported to 2.1, 2.0, and 1.9.

(cherry picked from commit f35d69e7fc13aab89afcf394c5b96133d3060c1a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 1028e256e249bc75893b108154fc499ab1b5f825)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 868808c..3dbab2b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -7462,7 +7462,7 @@
 		return 0;
 
 	smp->data.u.str.area = (char *)SSL_SESSION_get_id(ssl_sess, &len);
-	if (!smp->data.u.str.area || !smp->data.u.str.data)
+	if (!smp->data.u.str.area || !len)
 		return 0;
 
 	smp->data.u.str.data = len;