[tomcat] branch 9.0.x updated: Avoid possible infinite loop in unwrap

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[tomcat] branch 9.0.x updated: Avoid possible infinite loop in unwrap

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

The following commit(s) were added to refs/heads/9.0.x by this push:
     new 95ceaf7  Avoid possible infinite loop in unwrap
95ceaf7 is described below

commit 95ceaf7b322eef7bc913d031a76306fd53c0cc48
Author: remm <[hidden email]>
AuthorDate: Thu Jan 21 21:18:44 2021 +0100

    Avoid possible infinite loop in unwrap
    As described in the testcase and debug info for 64771, an infinite loop
    can occur if the buffers state changes concurrently to unwrap. The
    capacity is set at the beginning of the method. If the last buffer
    remaining becomes 0 for some reason, then idx will become equal to
    endOffset and the code will loop endlessly, as long as
    pendingReadableBytesInSSL returns > 0.
    In that particular case, break the loop with an ISE that will allow
    noticing the issue.
 java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
 java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java      | 5 +++++
 webapps/docs/changelog.xml                                      | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 3606acd..84990f3 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -19,6 +19,7 @@ engine.engineClosed=Engine is closed
 engine.failedCipherSuite=Failed to enable cipher suite [{0}]
 engine.inboundClose=Inbound closed before receiving peer's close_notify
 engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}])
+engine.invalidDestinationBuffersState=The state of the destination buffers changed concurrently while unwrapping bytes
 engine.noRestrictSessionCreation=OpenSslEngine does not permit restricting the engine to only resuming existing sessions
 engine.noSSLContext=No SSL context
 engine.noSession=SSL session ID not available
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index e48acb4..cdd0617 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -567,6 +567,11 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
         while (pendingApp > 0) {
+            if (idx == endOffset) {
+                // Destination buffer state changed (no remaining space although
+                // capacity is still available), so break loop with an error
+                throw new IllegalStateException(sm.getString("engine.invalidDestinationBuffersState"));
+            }
             // Write decrypted data to dsts buffers
             while (idx < endOffset) {
                 ByteBuffer dst = dsts[idx];
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index effbe27..c9010e8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -175,6 +175,10 @@
         <bug>65001</bug>: Fix error handling for exceptions throw from calls
         to <code>ReadListener</code> and <code>WriteListener</code>. (markt)
+      <fix>
+        Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
+        when the destination buffers state is changed concurrently. (remm)
+      </fix>
   <subsection name="Jasper">

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]