Skip to content

Fix crash on config reload with BoringSSL #9840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maskit merged 1 commit into from
Jun 16, 2023
Merged

Fix crash on config reload with BoringSSL #9840

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion iocore/net/SSLConfig.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -952,7 +952,8 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f
SSLError("failed to attach client chain certificate from %s", client_cert.c_str());
goto fail;
}
X509_free(cert);
// Do not free cert becasue SSL_CTX_add_extra_chain_cert takes ownership of cert if it succeeds, unlike
// SSL_CTX_use_certificate.
Copy link
Contributor

@jpeach jpeach Jun 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If SSL_CTX_add_extra_chain_cert, but a subsequent operation fails, we would free the certificate at the failed label. Wouldn't that also be a double free when the SSL_CTX is freed?

Copy link
Member Author

@maskit maskit Jun 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if I understand your comment correctly.

If SSL_CTX_add_extra_chain_cert succeeds, PEM_read_bio_X509 will be called. And if that fails, cert is nullptr and we leave this while loop. Since cert is nullptr, it won't be freed even if we go to fail label later.

If SSL_CTX_add_extra_chain_cert fails, SSL_CTX doesn't have ownership, so the cert has to be freed. We jump to fail label, and the cert will be freed.

Copy link
Contributor

@jpeach jpeach Jun 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I missed the extra read at the end of the loop. IMHO, writing it like this would be a lot clearer:

      // Continue to fetch certs to associate intermediate certificates.
      while ((cert = PEM_read_bio_X509(biop, nullptr, nullptr, nullptr)) {
          if (!SSL_CTX_add_extra_chain_cert(client_ctx.get(), cert)) {
            SSLError("failed to attach client chain certificate from %s", client_cert.c_str());
            goto fail;
          }
      }

cert = PEM_read_bio_X509(biop, nullptr, nullptr, nullptr);
}

Expand Down