mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

OCSP stapling: fixed segfault without nextUpdate.

Browse Source 
OCSP responses may contain no nextUpdate.  As per RFC 6960, this means
that nextUpdate checks should be bypassed.  Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.

The problem was introduced by 6893a1007a7c (1.9.2).

Reported by Matthew Baldwin.
This commit is contained in:
Maxim Dounin 2015-07-14 01:10:25 +03:00
parent 573810ce36
commit 3ac176fb86
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/event/ngx_event_openssl_stapling.c
View File

@ -637,6 +637,7 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
goto error; goto error;
} }
if (nextupdate) {
valid = ngx_ssl_stapling_time(nextupdate); valid = ngx_ssl_stapling_time(nextupdate);
if (valid == (time_t) NGX_ERROR) { if (valid == (time_t) NGX_ERROR) {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0, ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
@ -644,6 +645,10 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
goto error; goto error;
} }
} else {
valid = NGX_MAX_TIME_T_VALUE;
}
OCSP_CERTID_free(id); OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic); OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp); OCSP_RESPONSE_free(ocsp);