Summary: | Crash using SSL certificate with pathlen constraint due to free() | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Paul Spangler <paul.spangler> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ylavic.dev |
Priority: | P2 | Keywords: | FixedInTrunk |
Version: | 2.4.7 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: | Reproduction certificate |
Created attachment 32562 [details] Reproduction certificate mod_ssl calls free() instead of OPENSSL_free() on the result of BN_bn2dec() when reading the pathlen of a certificate's basic constraints. This is in SSL_X509_getBC() function of ssl_util_ssl.c. At least on Windows, this crashes when mod_ssl and OpenSSL are built against different C run-times. Steps to Reproduce: 1) Configure httpd to use an SSL certificate with the basicConstraints extension containing a pathlen (sample cert attached). 2) Start the server. Actual Results: The server crashed. Expected Results: The server starts, using the configured certificate. Build Date & Hardware: 64-bit Windows build of httpd/mod_ssl 2.4.7 using msvc 11.0 and OpenSSL 1.0.1 built with msvc 9.0 Additional Builds and Platforms: I have verified that free() is still used in trunk.