Bug 53937 - Double call to apr_pool_destroy() if OCSP checking is enabled and OCSP server is unreachable leads to crash
Summary: Double call to apr_pool_destroy() if OCSP checking is enabled and OCSP server...
Alias: None
Product: Tomcat Native
Classification: Unclassified
Component: Library (show other bugs)
Version: 1.1.24
Hardware: All Linux
: P2 regression (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2012-09-26 16:40 UTC by Aristotelis
Modified: 2013-07-25 21:01 UTC (History)
0 users

Bug Fix for the double apr_pool_destroy() (578 bytes, patch)
2012-09-26 16:40 UTC, Aristotelis
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Aristotelis 2012-09-26 16:40:19 UTC
Created attachment 29422 [details]
Bug Fix for the double apr_pool_destroy()

When OCSP checking is enabled, the code checks the OCSP server. If the OCSP server is contacted everything goes fine. However if the OCSP server cannot be contacted, this leads to a double apr_pool_destroy() that crashes the thread, can lead to TOMCAT crash. The problem exists in 
static int ssl_ocsp_request(X509 *cert, X509 *issuer);

and the problem exists in the following code:

    if (ocsp_urls != NULL) {
        OCSP_RESPONSE *resp;
        /* for the time being just check for the fist response .. a better                                                                                    
           approach is to iterate for all the possible ocsp urls */
        resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);

        if (resp != NULL)
            return process_ocsp_response(resp);

If get_ocsp_response returns NULL, then apr_pool_destroy(p) is called twice.

I believe that this should also affect 1.1.23

A bug fix is included in the attached patch
Comment 1 Christopher Schultz 2013-07-25 21:01:43 UTC
Fixed in 1.1 branch. Will be available in 1.1.28.