This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 5ee9947 Avoid possible infinite loop in unwrap
5ee9947 is described below
commit 5ee9947fee01b7fa3e95d51a3092e9f5556d6df8
Author: remm <r...@apache.org>
AuthorDate: Thu Jan 21 21:18:44 2021 +0100
Avoid possible infinite loop in unwrap
As described in the testcase and debug info for 64771, an infinite loop
can occur if the buffers state changes concurrently to unwrap. The
capacity is set at the beginning of the method. If the last buffer
remaining becomes 0 for some reason, then idx will become equal to
endOffset and the code will loop endlessly, as long as
pendingReadableBytesInSSL returns > 0.
In that particular case, break the loop with an ISE that will allow
noticing the issue.
---
java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 5 +++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 10 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 3606acd..84990f3 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -19,6 +19,7 @@ engine.engineClosed=Engine is closed
engine.failedCipherSuite=Failed to enable cipher suite [{0}]
engine.inboundClose=Inbound closed before receiving peer's close_notify
engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <=
offset + length <= srcs.length [{2}])
+engine.invalidDestinationBuffersState=The state of the destination buffers
changed concurrently while unwrapping bytes
engine.noRestrictSessionCreation=OpenSslEngine does not permit restricting the
engine to only resuming existing sessions
engine.noSSLContext=No SSL context
engine.noSession=SSL session ID not available
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index e48acb4..cdd0617 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -567,6 +567,11 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
}
while (pendingApp > 0) {
+ if (idx == endOffset) {
+ // Destination buffer state changed (no remaining space
although
+ // capacity is still available), so break loop with an error
+ throw new
IllegalStateException(sm.getString("engine.invalidDestinationBuffersState"));
+ }
// Write decrypted data to dsts buffers
while (idx < endOffset) {
ByteBuffer dst = dsts[idx];
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0c6316b..4ff2839 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -175,6 +175,10 @@
<bug>65001</bug>: Fix error handling for exceptions throw from calls
to <code>ReadListener</code> and <code>WriteListener</code>. (markt)
</fix>
+ <fix>
+ Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
+ when the destination buffers state is changed concurrently. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
