[mod_gnutls-devel] [pull-request] Fix use-after-free, reverse proxy should work now

Thomas Klute thomas2.klute at uni-dortmund.de
Wed Jan 21 11:13:17 CET 2015


Hi everyone,

I've fixed another problem with mod_gnutls in a reverse proxy
configuration. After running >1000 test requests, I'm fairly confident
that reverse proxy (HTTP back end only) works properly now.

ssl_engine_disable called mgs_cleanup_pre_config on the connection pool
before returning. However, mgs_cleanup_pre_config deinitializes the
global GnuTLS data structures. Trying to use those deinitialized data
structures led to segmentation faults during TLS handshake (stack trace
attached).

Since there is no need to globally deinitialize GnuTLS when disabling
TLS for one specific connection, the fix is to remove the call to
mgs_cleanup_pre_config from ssl_engine_disable [1]. Pull request below,
including my previous fixes.

Kind regards,
Thomas Klute

[1]
https://github.com/airtower-luna/mod_gnutls/commit/c782c1f12c0ed4d5048eb52fd3ef51037c53f426

The following changes since commit c32240fe453de3ce9c48887f2ecd649a5555340f:

  switch from --long-arg=foo to --long-arg foo for certtool in test
suite (2014-09-24 13:01:57 -0400)

are available in the git repository at:

  https://github.com/airtower-luna/mod_gnutls.git proxy-segfault-fix

for you to fetch changes up to c4ba9722083c4eadbdd1a77aab4ab71f0a1081f8:

  Add myself to list of contributors (2015-01-21 10:36:42 +0100)

----------------------------------------------------------------
Thomas Klute (6):
      Use proper GNUTLS_ENABLED_* macros in SSL proxy functions
      Check if filters exist before removing them in ssl_engine_disable
      Check error codes during GnuTLS connection init
      Enable/disable TLS per connection in ssl_engine_disable
      Don't do global deinit when disabling TLS for a proxy back end
connection
      Add myself to list of contributors

 README                  |  1 +
 include/mod_gnutls.h.in |  2 ++
 src/gnutls_hooks.c      | 62
++++++++++++++++++++++++++++++++-----------------
 src/mod_gnutls.c        | 35 +++++++++++++++++++++-------
 4 files changed, 70 insertions(+), 30 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: segfault_bt.log
Type: text/x-log
Size: 6576 bytes
Desc: not available
URL: </pipermail/attachments/20150121/6a9cedc7/attachment.bin>


More information about the mod_gnutls-devel mailing list