Bug 57070

Summary: <If "%{SSL_CLIENT_S_DN_Email} != ''"> on non-HTTPS connection crashes in ssl_var_lookup_ssl
Product: Apache httpd-2 Reporter: Anders Kaseorg <andersk>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: FixedInTrunk, PatchAvailable
Priority: P2    
Version: 2.4.10   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Anders Kaseorg 2014-10-09 02:53:17 UTC 
This .htaccess file causes a NULL dereference in ssl_var_lookup_ssl, when visited over a non-HTTPS connection:

<If "%{SSL_CLIENT_S_DN_Email} != ''">
</If>

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  ssl_var_lookup_ssl (p=0x7f4f140028f8, r=0x7f4f14002970, var=0x7f4f1400e0b4 "CLIENT_S_DN_Email", c=<optimized out>) at ssl_engine_vars.c:344
344	    ssl = sslconn->ssl;
Missing separate debuginfos, use: debuginfo-install nss-pam-ldapd-0.8.13-4.fc20.x86_64 nss_nonlocal-2.1-1.x86_64
(gdb) bt
#0  ssl_var_lookup_ssl (p=0x7f4f140028f8, r=0x7f4f14002970, var=0x7f4f1400e0b4 "CLIENT_S_DN_Email", c=<optimized out>) at ssl_engine_vars.c:344
#1  0x00007f4f537d6ce7 in ap_expr_eval_word ()
#2  0x00007f4f537d71f6 in ap_expr_eval_comp ()
#3  0x00007f4f537d74a0 in ap_expr_eval ()
#4  0x00007f4f537d7e98 in ap_expr_exec_ctx ()
#5  0x00007f4f537d81d8 in ap_expr_exec_re ()
#6  0x00007f4f537d25be in ap_if_walk ()
#7  0x00007f4f537d28e2 in ap_process_request_internal ()
#8  0x00007f4f537ee9e8 in ap_process_async_request ()
#9  0x00007f4f537eecd4 in ap_process_request ()
#10 0x00007f4f537eb692 in ap_process_http_connection ()
#11 0x00007f4f537e34d0 in ap_run_process_connection ()
#12 0x00007f4f513e353b in process_socket (bucket_alloc=0x7f4f140008e8, my_thread_num=25, my_child_num=2, sock=0x7f4f40014290, p=0x7f4f40014208, 
    thd=0x7f4f554fc120) at worker.c:619
#13 worker_thread (thd=0x7f4f554fc120, dummy=<optimized out>) at worker.c:978
#14 0x00007f4f5225aee5 in start_thread (arg=0x7f4f367ec700) at pthread_create.c:309
#15 0x00007f4f51d85b8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) info locals
sslconn = 0x0
result = 0x0
xs = <optimized out>
sk = <optimized out>
ssl = <optimized out>
Comment 1 Ruediger Pluem 2014-10-09 06:35:52 UTC 
Can you please try the following patch?

Index: ssl_engine_vars.c
===================================================================
--- ssl_engine_vars.c   (revision 1630015)
+++ ssl_engine_vars.c   (working copy)
@@ -73,7 +73,9 @@
 static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data)
 {
     char *var = (char *)data;
-    return ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var);
+    SSLConnRec *sslconn = myConnConfig(ctx->c);
+
+    return sslconn ? ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var) : "";
 }

 static int ssl_expr_lookup(ap_expr_lookup_parms *parms)
Comment 2 Anders Kaseorg 2014-10-09 07:38:30 UTC 
(In reply to Ruediger Pluem from comment #1)
> -    return ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var);
> +    SSLConnRec *sslconn = myConnConfig(ctx->c);
> +
> +    return sslconn ? ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var) : "";

Yeah, that fixes the crash.
Comment 3 Ruediger Pluem 2014-10-10 17:56:15 UTC 
Committed to trunk as r1630947.
Comment 4 Christophe JAILLET 2015-01-09 21:21:12 UTC 
Backported in 2.4.x in r1650659

Will be part of 2.4.11