This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 95ceaf7 Avoid possible infinite loop in unwrap
95ceaf7 is described below
commit 95ceaf7b322eef7bc913d031a76306fd53c0cc48
Author: remm <r...@apache.org>
AuthorDate: Thu Jan 21 21:18:44 2021 +0100
Avoid possible infinite loop in unwrap
As described in the testcase and debug info for 64771, an infinite loop
can occur if the buffers state changes concurrently to unwrap. The
capacity is set at the beginning of the method. If the last buffer
remaining becomes 0 for some reason, then idx will become equal to
endOffset and the code will loop endlessly, as long as
pendingReadableBytesInSSL returns > 0.
In that particular case, break the loop with an ISE that will allow
noticing the issue.
---
java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 5 +++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 10 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 3606acd..84990f3 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -19,6 +19,7 @@ engine.engineClosed=Engine is closed
engine.failedCipherSuite=Failed to enable cipher suite [{0}]
engine.inboundClose=Inbound closed before receiving peer's close_notify
engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <=
offset + length <= srcs.length [{2}])
+engine.invalidDestinationBuffersState=The state of the destination buffers
changed concurrently while unwrapping bytes
engine.noRestrictSessionCreation=OpenSslEngine does not permit restricting the
engine to only resuming existing sessions
engine.noSSLContext=No SSL context
engine.noSession=SSL session ID not available
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index e48acb4..cdd0617 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -567,6 +567,11 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
}
while (pendingApp > 0) {
+ if (idx == endOffset) {
+ // Destination buffer state changed (no remaining space
although
+ // capacity is still available), so break loop with an error
+ throw new
IllegalStateException(sm.getString("engine.invalidDestinationBuffersState"));
+ }
// Write decrypted data to dsts buffers
while (idx < endOffset) {
ByteBuffer dst = dsts[idx];
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index effbe27..c9010e8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -175,6 +175,10 @@
<bug>65001</bug>: Fix error handling for exceptions throw from calls
to <code>ReadListener</code> and <code>WriteListener</code>. (markt)
</fix>
+ <fix>
+ Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
+ when the destination buffers state is changed concurrently. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
