From: Jeremy Harris Date: Sun, 28 Jul 2019 13:47:29 +0000 (+0100) Subject: Fix crash after TLS channel shutdown X-Git-Tag: exim-4.93-RC0~121 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/bd231acd0f24e4c27c6d6885f48c24360700ec7f?ds=inline;hp=1a44d9d799eb1f94d87ae2cef4ca5b31720ccf88 Fix crash after TLS channel shutdown --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 2bfa77622..9af9a9759 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -157,6 +157,10 @@ JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result was unused and the unexpanded text used for the test. Found and fixed by Ruben Jenster. +JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open, + an attempt to use a TLS library read routine dereffed a nul pointer, + causing a segfault. + Exim version 4.92 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index ca60ddb6a..de44313e8 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2836,8 +2836,9 @@ void tls_close(void * ct_ctx, int shutdown) { exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server; +tls_support * tlsp = state->tlsp; -if (!state->tlsp || state->tlsp->active.sock < 0) return; /* TLS was not active */ +if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */ if (shutdown) { @@ -2849,12 +2850,26 @@ if (shutdown) ALARM_CLR(0); } +if (!ct_ctx) /* server */ + { + receive_getc = smtp_getc; + receive_getbuf = smtp_getbuf; + receive_get_cache = smtp_get_cache; + receive_ungetc = smtp_ungetc; + receive_feof = smtp_feof; + receive_ferror = smtp_ferror; + receive_smtp_buffered = smtp_buffered; + } + gnutls_deinit(state->session); gnutls_certificate_free_credentials(state->x509_cred); +tlsp->active.sock = -1; +tlsp->active.tls_ctx = NULL; +/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */ +tls_channelbinding_b64 = NULL; + -state->tlsp->active.sock = -1; -state->tlsp->active.tls_ctx = NULL; if (state->xfer_buffer) store_free(state->xfer_buffer); memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init)); } @@ -2904,28 +2919,7 @@ if (sigalrm_seen) else if (inbytes == 0) { DEBUG(D_tls) debug_printf("Got TLS_EOF\n"); - - receive_getc = smtp_getc; - receive_getbuf = smtp_getbuf; - receive_get_cache = smtp_get_cache; - receive_ungetc = smtp_ungetc; - receive_feof = smtp_feof; - receive_ferror = smtp_ferror; - receive_smtp_buffered = smtp_buffered; - - gnutls_deinit(state->session); - gnutls_certificate_free_credentials(state->x509_cred); - - state->session = NULL; - state->tlsp->active.sock = -1; - state->tlsp->active.tls_ctx = NULL; - state->tlsp->bits = 0; - state->tlsp->certificate_verified = FALSE; - tls_channelbinding_b64 = NULL; - state->tlsp->cipher = NULL; - state->tlsp->peercert = NULL; - state->tlsp->peerdn = NULL; - + tls_close(NULL, TLS_NO_SHUTDOWN); return FALSE; } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 9542a1ed4..e219f5cc1 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -3189,32 +3189,10 @@ switch(error) case SSL_ERROR_ZERO_RETURN: DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n"); - receive_getc = smtp_getc; - receive_getbuf = smtp_getbuf; - receive_get_cache = smtp_get_cache; - receive_ungetc = smtp_ungetc; - receive_feof = smtp_feof; - receive_ferror = smtp_ferror; - receive_smtp_buffered = smtp_buffered; - if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN) SSL_shutdown(server_ssl); -#ifndef DISABLE_OCSP - sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); - server_static_cbinfo->verify_stack = NULL; -#endif - SSL_free(server_ssl); - SSL_CTX_free(server_ctx); - server_ctx = NULL; - server_ssl = NULL; - tls_in.active.sock = -1; - tls_in.active.tls_ctx = NULL; - tls_in.bits = 0; - tls_in.cipher = NULL; - tls_in.peerdn = NULL; - tls_in.sni = NULL; - + tls_close(NULL, TLS_NO_SHUTDOWN); return FALSE; /* Handle genuine errors */ @@ -3503,14 +3481,25 @@ if (shutdown) } } -#ifndef DISABLE_OCSP if (!o_ctx) /* server side */ { +#ifndef DISABLE_OCSP sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); server_static_cbinfo->verify_stack = NULL; - } #endif + receive_getc = smtp_getc; + receive_getbuf = smtp_getbuf; + receive_get_cache = smtp_get_cache; + receive_ungetc = smtp_ungetc; + receive_feof = smtp_feof; + receive_ferror = smtp_ferror; + receive_smtp_buffered = smtp_buffered; + tls_in.active.tls_ctx = NULL; + tls_in.sni = NULL; + /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */ + } + SSL_CTX_free(*ctxp); SSL_free(*sslp); *ctxp = NULL; diff --git a/src/src/verify.c b/src/src/verify.c index e98dee669..a1276068b 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -1172,7 +1172,7 @@ if (!done) /* Come here from within the cache-reading code on fast-track exit. */ END_CALLOUT: -tls_modify_variables(&tls_in); +tls_modify_variables(&tls_in); /* return variables to inbound values */ return yield; } @@ -2193,7 +2193,7 @@ the -bv or -bt case). */ out: verify_mode = NULL; -tls_modify_variables(&tls_in); +tls_modify_variables(&tls_in); /* return variables to inbound values */ return yield; }