https://issues.apache.org/bugzilla/show_bug.cgi?id=53937
Priority: P2
Bug ID: 53937
Assignee: dev@tomcat.apache.org
Summary: Double call to apr_pool_destroy() if OCSP checking is
enabled and OCSP server is unreachable leads to crash
Severity: regression
Classification: Unclassified
OS: Linux
Reporter: ar...@noc.edunet.gr
Hardware: All
Status: NEW
Version: 1.1.24
Component: Library
Product: Tomcat Native
Created attachment 29422
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29422&action=edit
Bug Fix for the double apr_pool_destroy()
When OCSP checking is enabled, the code checks the OCSP server. If the OCSP
server is contacted everything goes fine. However if the OCSP server cannot be
contacted, this leads to a double apr_pool_destroy() that crashes the thread,
can lead to TOMCAT crash. The problem exists in
static int ssl_ocsp_request(X509 *cert, X509 *issuer);
and the problem exists in the following code:
if (ocsp_urls != NULL) {
OCSP_RESPONSE *resp;
/* for the time being just check for the fist response .. a better
approach is to iterate for all the possible ocsp urls */
resp = get_ocsp_response(cert, issuer, ocsp_urls[0]);
apr_pool_destroy(p);
if (resp != NULL)
return process_ocsp_response(resp);
}
apr_pool_destroy(p);
return OCSP_STATUS_UNKNOWN;
}
If get_ocsp_response returns NULL, then apr_pool_destroy(p) is called twice.
I believe that this should also affect 1.1.23
A bug fix is included in the attached patch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
