Skip to content

Fix unchecked i2d_PrivateKey() return value causing size_t overflow and abort #619

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
metsw24-max wants to merge 2 commits into
base: trunk
Choose a base branch
from
Open

Fix unchecked i2d_PrivateKey() return value causing size_t overflow and abort #619

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5bbf967
add length validation for Lock-Token to prevent underflow
metsw24-max Mar 24, 2026
3538c87
updated
metsw24-max Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions modules/ssl/ssl_engine_pphrase.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,9 +181,9 @@ apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx,
if (pkey_mtime) {
ssl_asn1_t *asn1 = ssl_asn1_table_get(mc->retained->privkeys, key_id);
if (asn1 && (asn1->source_mtime == pkey_mtime)) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02575)
"Reusing existing private key from %s on restart",
ppcb_arg.pkey_file);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Reusing existing private key from %s on restart",
ppcb_arg.pkey_file);
return APR_SUCCESS;
}
}
Expand Down Expand Up @@ -338,6 +338,11 @@ apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx,
/* Cache the private key in the global module configuration so it
* can be used after subsequent reloads. */
asn1 = ssl_asn1_table_set(mc->retained->privkeys, key_id, pPrivateKey);
if (!asn1) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"mod_ssl: Failed to cache private key");
return ssl_die(s);
}

if (ppcb_arg.nPassPhraseDialogCur != 0) {
/* remember mtime of encrypted keys */
Expand Down Expand Up @@ -1024,4 +1029,4 @@ apr_status_t modssl_load_engine_keypair(server_rec *s,
vhostid, certid ? certid : "no cert", keyid);
return APR_ENOTIMPL;
#endif
}
}
17 changes: 14 additions & 3 deletions modules/ssl/ssl_util.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,14 @@ ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
{
apr_ssize_t klen = strlen(key);
ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
apr_size_t length = i2d_PrivateKey(pkey, NULL);
int derlen = i2d_PrivateKey(pkey, NULL);
if (derlen <= 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
"mod_ssl: Failed to encode private key");
return NULL;
}

apr_size_t length = (apr_size_t)derlen;
unsigned char *p;

/* Re-use structure if cached previously. */
Expand All @@ -220,7 +227,11 @@ ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,

asn1->nData = length;
p = asn1->cpData;
i2d_PrivateKey(pkey, &p); /* increases p by length */
if (i2d_PrivateKey(pkey, &p) != derlen) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
"mod_ssl: Failed to serialize private key");
return NULL;
}

return asn1;
}
Expand Down Expand Up @@ -506,4 +517,4 @@ int modssl_is_engine_id(const char *name)
#else
return 0;
#endif
}
}