[tomcat] branch master updated: Avoid possible infinite loop in unwrap

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[tomcat] branch master updated: Avoid possible infinite loop in unwrap

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

The following commit(s) were added to refs/heads/master by this push:
     new 5ee9947  Avoid possible infinite loop in unwrap
5ee9947 is described below

commit 5ee9947fee01b7fa3e95d51a3092e9f5556d6df8
Author: remm <[hidden email]>
AuthorDate: Thu Jan 21 21:18:44 2021 +0100

    Avoid possible infinite loop in unwrap
    As described in the testcase and debug info for 64771, an infinite loop
    can occur if the buffers state changes concurrently to unwrap. The
    capacity is set at the beginning of the method. If the last buffer
    remaining becomes 0 for some reason, then idx will become equal to
    endOffset and the code will loop endlessly, as long as
    pendingReadableBytesInSSL returns > 0.
    In that particular case, break the loop with an ISE that will allow
    noticing the issue.
 java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
 java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java      | 5 +++++
 webapps/docs/changelog.xml                                      | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 3606acd..84990f3 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -19,6 +19,7 @@ engine.engineClosed=Engine is closed
 engine.failedCipherSuite=Failed to enable cipher suite [{0}]
 engine.inboundClose=Inbound closed before receiving peer's close_notify
 engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}])
+engine.invalidDestinationBuffersState=The state of the destination buffers changed concurrently while unwrapping bytes
 engine.noRestrictSessionCreation=OpenSslEngine does not permit restricting the engine to only resuming existing sessions
 engine.noSSLContext=No SSL context
 engine.noSession=SSL session ID not available
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index e48acb4..cdd0617 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -567,6 +567,11 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
         while (pendingApp > 0) {
+            if (idx == endOffset) {
+                // Destination buffer state changed (no remaining space although
+                // capacity is still available), so break loop with an error
+                throw new IllegalStateException(sm.getString("engine.invalidDestinationBuffersState"));
+            }
             // Write decrypted data to dsts buffers
             while (idx < endOffset) {
                 ByteBuffer dst = dsts[idx];
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0c6316b..4ff2839 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -175,6 +175,10 @@
         <bug>65001</bug>: Fix error handling for exceptions throw from calls
         to <code>ReadListener</code> and <code>WriteListener</code>. (markt)
+      <fix>
+        Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
+        when the destination buffers state is changed concurrently. (remm)
+      </fix>
   <subsection name="Jasper">

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]