Bug 57694 - Crash using SSL certificate with pathlen constraint due to free()
Summary: Crash using SSL certificate with pathlen constraint due to free()
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.7
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
Depends on:
Reported: 2015-03-12 19:39 UTC by Paul Spangler
Modified: 2015-06-27 07:24 UTC (History)
1 user (show)

Reproduction certificate (1.04 KB, text/plain)
2015-03-12 19:39 UTC, Paul Spangler

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Spangler 2015-03-12 19:39:58 UTC
Created attachment 32562 [details]
Reproduction certificate

mod_ssl calls free() instead of OPENSSL_free() on the result of BN_bn2dec() when reading the pathlen of a certificate's basic constraints. This is in SSL_X509_getBC() function of ssl_util_ssl.c. At least on Windows, this crashes when mod_ssl and OpenSSL are built against different C run-times.

Steps to Reproduce:

    1) Configure httpd to use an SSL certificate with the basicConstraints extension containing a pathlen (sample cert attached).

    2) Start the server.

Actual Results:

    The server crashed.

Expected Results:

    The server starts, using the configured certificate.

Build Date & Hardware:

    64-bit Windows build of httpd/mod_ssl 2.4.7 using msvc 11.0
    and OpenSSL 1.0.1 built with msvc 9.0

Additional Builds and Platforms:

    I have verified that free() is still used in trunk.
Comment 1 Yann Ylavic 2015-03-12 20:50:53 UTC
Thanks, fixed in r1666297.
Comment 2 Christophe JAILLET 2015-06-27 07:24:13 UTC
This is part of the (unreleased) 2.4.13
backport in r1673940