Description: If 'SSLVerifyClient' is configured for some location, mod_ssl is starting a re-negotiation of the SSLconnection in the function 'ssl_io_filter_connect(..)' A MSIE Internet Explorer is handling that kind of re-negotiation in the following way: a) he is finishing the current handshake (see logfile) b) afterwards he is starting a new handshake, now presenting a client certificate So the whole situation is handeld by mod_ssl in the following way: 1) mod_ssl is starting a re-negotiation 2) the client does not finish the handshake (see a) ) 3) mod_ssl is freeing the SSL struct using 'SSLfree(..)' (By that also the allocated BIO's will be freed) 4) the browser is starting a new handshake (see b) ), using the same TCP connection (Keep-Alive is enabled) and so the already freed SSL struct and BIO's will be used by mod_ssl (Due to the fact that it is bound to the conn_rec struct) I.e. mod_ssl is reading already freed memory. We have proven is using a (purify Version 2002a.06.00 an Solaris 2.8) Fix: If the handshake is failing in 'ssl_io_filter_connect(..)' the connection will be aborted. Due to stability the pointer's to the BIOS will be reset in in 'ssl_filter_io_shutdown(..)' and check in 'ssl_filter_write(..)' We have tested the fix again with the same memory access checker. Log-Message: [Wed Jul 02 19:07:21 2003] [info] Requesting connection re-negotiation [Wed Jul 02 19:07:21 2003] [info] Awaiting re-negotiation handshake [Wed Jul 02 19:07:21 2003] [error] Re-negotiation handshake failed: Not accepted by client!? Diff: diff -c -r1.2 -r1.3 *** ssl_engine_io.c 2003/04/16 14:14:39 1.2 --- ssl_engine_io.c 2003/07/03 11:36:24 1.3 *************** *** 780,789 **** apr_size_t len) { ssl_filter_ctx_t *filter_ctx = f->ctx; ! bio_filter_out_ctx_t *outctx = ! (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr); ! int res; /* write SSL */ if (filter_ctx->pssl == NULL) { return APR_EGENERAL; --- 780,795 ---- apr_size_t len) { ssl_filter_ctx_t *filter_ctx = f->ctx; ! bio_filter_out_ctx_t *outctx = NULL; ! int res; + /* 2.7.2003/hk,mv: BIOS has been freed*/ + if (filter_ctx->pbioWrite == NULL) { + return APR_EGENERAL; + } + + outctx = (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr); + /* write SSL */ if (filter_ctx->pssl == NULL) { return APR_EGENERAL; *************** *** 999,1004 **** --- 1005,1014 ---- sslconn->ssl = NULL; filter_ctx->pssl = NULL; /* so filters know we've been shutdown */ + /* 2.7.2003/hk,mv: BIOS is freed reset the pointers*/ + filter_ctx->pbioRead = NULL; + filter_ctx->pbioWrite = NULL; + return APR_SUCCESS; } *************** *** 1112,1117 **** --- 1122,1129 ---- inctx->rc = APR_EGENERAL; } + /* 2.7.2003/hk,mv: handshake failed, close the connection */ + c->aborted=1; return ssl_filter_io_shutdown(filter_ctx, c, 1); } *************** *** 1153,1158 **** --- 1165,1172 ---- error ? error : "unknown"); ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); + /* 2.7.2003/hk,mv: no client cert, close the connection */ + c->aborted=1; return ssl_filter_io_shutdown(filter_ctx, c, 1); } }
Created attachment 7121 [details] memory access checker output
Thanks very much for the report and patch; a variant of the patch has been committed to CVS.
*** Bug 22832 has been marked as a duplicate of this bug. ***