mirror of
https://github.com/nginx/nginx.git
synced 2025-06-06 00:42:40 +08:00
SSL: fixed possible use-after-free in $ssl_server_name.
The $ssl_server_name variable used SSL_get_servername() result directly, but this is not safe: it references a memory allocation in an SSL session, and this memory might be freed at any time due to renegotiation. Instead, copy the name to memory allocated from the pool.
This commit is contained in:
parent
50a0f25c60
commit
ed0cc4d523
@ -3551,13 +3551,22 @@ ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||
{
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
|
||||
const char *servername;
|
||||
size_t len;
|
||||
const char *name;
|
||||
|
||||
name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (name) {
|
||||
len = ngx_strlen(name);
|
||||
|
||||
s->len = len;
|
||||
s->data = ngx_pnalloc(pool, len);
|
||||
if (s->data == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_memcpy(s->data, name, len);
|
||||
|
||||
servername = SSL_get_servername(c->ssl->connection,
|
||||
TLSEXT_NAMETYPE_host_name);
|
||||
if (servername) {
|
||||
s->data = (u_char *) servername;
|
||||
s->len = ngx_strlen(servername);
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user