Null pointer access in ssl_callback_session_ticket #6886
Description
Seeing a crash in 9.0 with netvc being null in ssl_callback_session_ticket. Although, netvc shouldn't be null, given that the SSL callbacks are asynchronous, it sounds reasonable to check for nullptr.
Note that the code is different on master though with the commit 16fb809
(gdb) thr 30
[Switching to thread 30 (Thread 0x2b1856f05700 (LWP 22652))]
#0 0x00002b18467367c0 in _dl_addr () from /lib64/libc.so.6
(gdb) bt
#0 0x00002b18467367c0 in _dl_addr () from /lib64/libc.so.6
#1 0x00002b184670e585 in backtrace_symbols_fd () from /lib64/libc.so.6
#2 0x00002b1843cf8a59 in ink_stack_trace_dump () at ink_stack_trace.cc:65
#3 0x00002b1843d0d8b3 in signal_crash_handler (signo=signo@entry=11) at signals.cc:180
#4 0x00000000004c434e in crash_logger_invoke (signo=11, info=0x2b1856f03530, ctx=0x2b1856f03400) at traffic_server/Crash.cc:173
#5 <signal handler called>
#6 ssl_callback_session_ticket (ssl=0x2b18ff0bf000, keyname=0x2b1856f042c0 "\200C\360V\030+", iv=0x2b1856f042b0 "", cipher_ctx=0x2b18ca612040, hctx=0x2b18d12c3880, enc=1) at SSLSessionTicket.cc:67
#7 0x00002b1844cd2718 in tls_construct_new_session_ticket () from /lib/libssl.so.1.1
#8 0x00002b1844cc43f7 in state_machine () from /lib/libssl.so.1.1
#9 0x00002b1844caf878 in SSL_do_handshake () from /lib/libssl.so.1.1
#10 0x0000000000754490 in SSLAccept (ssl=0x2b18ff0bf000) at SSLUtils.cc:1886
#11 0x000000000073f9a6 in SSLNetVConnection::sslServerHandShakeEvent (this=this@entry=0x2b1966ad48b0, err=@0x2b1856f04a90: 0) at SSLNetVConnection.cc:1238
#12 0x0000000000741ca1 in SSLNetVConnection::sslStartHandShake (this=0x2b1966ad48b0, event=<optimized out>, err=@0x2b1856f04a90: 0) at SSLNetVConnection.cc:1052
#13 0x00000000007407f3 in SSLNetVConnection::net_read_io (this=0x2b1966ad48b0, nh=0x2b184be23d80, lthread=0x2b184be20000) at SSLNetVConnection.cc:564
#14 0x0000000000760658 in NetHandler::process_ready_list (this=this@entry=0x2b184be23d80) at UnixNet.cc:412
#15 0x000000000076094d in NetHandler::waitForActivity (this=0x2b184be23d80, timeout=<optimized out>) at UnixNet.cc:547
#16 0x00000000007c3eaa in EThread::execute_regular (this=this@entry=0x2b184be20000) at UnixEThread.cc:266
#17 0x00000000007c4112 in EThread::execute (this=0x2b184be20000) at UnixEThread.cc:327
#18 0x00000000007c2499 in spawn_thread_internal (a=0x2b184796b580) at Thread.cc:92
#19 0x00002b1845946dd5 in start_thread () from /lib64/libpthread.so.0
#20 0x00002b18466f7ead in clone () from /lib64/libc.so.6
(gdb) p namele
^[[AnNo symbol "namele" in current context.
(gdb) p namelen
No symbol "namelen" in current context.
(gdb) f 6
#6 ssl_callback_session_ticket (ssl=0x2b18ff0bf000, keyname=0x2b1856f042c0 "\200C\360V\030+", iv=0x2b1856f042b0 "", cipher_ctx=0x2b18ca612040, hctx=0x2b18d12c3880, enc=1) at SSLSessionTicket.cc:67
67 SSLSessionTicket.cc: No such file or directory.
(gdb) p namelen
$1 = 28
(gdb) p name
$2 = 0
(gdb) p keyname
$3 = (unsigned char *) 0x2b1856f042c0 "\200C\360V\030+"
(gdb) p *keyname
$4 = 128 '\200'
(gdb) p iv
$5 = (unsigned char *) 0x2b1856f042b0 ""
(gdb) p *iv
$6 = 0 '\000'
(gdb) p netvc
$7 = (SSLNetVConnection &) @0x0: <error reading variable>
(gdb) p ssl
$8 = (SSL *) 0x2b18ff0bf000
(gdb) p *ssl
$9 = {version = 771, type = 0, method = 0x2b1844f00940 <tlsv1_2_server_method_data.22516>, rbio = 0x2b18a040e480, wbio = 0x2b191f83e780, bbio = 0x2b191f83e780, rwstate = 1, in_handshake = 0, handshake_func = 0x2b1844cc4c80 <ossl_statem_accept>, server = 1, new_session = 0, quiet_shutdown = 0, shutdown = 0,
state = 3, rstate = 2, init_buf = 0x100000002, init_msg = 0x2100000002, init_num = 0, init_off = 1, packet = 0x100000000 <Address 0x100000000 out of bounds>, packet_length = 1, s2 = 0x0, s3 = 0x0, d1 = 0x2b18ff07f3c0, read_ahead = -12746748, msg_callback = 0x0, msg_callback_arg = 0x0, hit = -1605759744,
param = 0x0, cipher_list = 0x0, cipher_list_by_id = 0x0, mac_flags = 0, enc_read_ctx = 0x2b18d5c27a50, read_hash = 0x0, expand = 0x0, enc_write_ctx = 0x0, write_hash = 0x0, compress = 0x0, cert = 0xffffffff00000000, sid_ctx_length = 4294967295, sid_ctx = '\000' <repeats 28 times>, "\240\236\022\321",
session = 0x0, generate_session_id = 0x0, verify_mode = 0, verify_callback = 0x0, info_callback = 0x0, error = 0, error_code = 0, kssl_ctx = 0x0, psk_client_callback = 0x0, psk_server_callback = 0x0, ctx = 0x0, debug = 0, verify_result = 0, ex_data = {sk = 0x0, dummy = 0}, client_CA = 0x0,
references = 0, options = 0, mode = 0, max_cert_list = 0, first_packet = 0, client_version = 0, max_send_fragment = 0, tlsext_debug_cb = 0x0, tlsext_debug_arg = 0x0, tlsext_hostname = 0x0, servername_done = 0, tlsext_status_type = 0, tlsext_status_expected = 0, tlsext_ocsp_ids = 0x0,
tlsext_ocsp_exts = 0x0, tlsext_ocsp_resp = 0x0, tlsext_ocsp_resplen = 0, tlsext_ticket_expected = 0, tlsext_ecpointformatlist_length = 0, tlsext_ecpointformatlist = 0x0, tlsext_ellipticcurvelist_length = 0, tlsext_ellipticcurvelist = 0x0, tlsext_opaque_prf_input = 0x0, tlsext_opaque_prf_input_len = 0,
tlsext_session_ticket = 0x0, tls_session_ticket_ext_cb = 0x0, tls_session_ticket_ext_cb_arg = 0x0, tls_session_secret_cb = 0x0, tls_session_secret_cb_arg = 0x0, initial_ctx = 0x0, next_proto_negotiated = 0x0, next_proto_negotiated_len = 0 '\000', srtp_profiles = 0x0, srtp_profile = 0x0,
tlsext_heartbeat = 0, tlsext_hb_pending = 0, tlsext_hb_seq = 0, renegotiate = 0, alpn_client_proto_list = 0x0, alpn_client_proto_list_len = 0}