- Fix DOS in SSL connection

PR:		122526
Submitted by:	Harald Schmalzbauer <harry___omnisec.de>
Security:	http://www.vuxml.org/freebsd/1ac77649-0908-11dd-974d-000fea2763ce.html

1 files changed, 119 insertions, 0 deletions

diff --git a/www/lighttpd/files/patch-CVE-2008-1531 b/www/lighttpd/files/patch-CVE-2008-1531
new file mode 100644
index 000000000000..f23c92cf4d3c
--- /dev/null
+++ b/www/lighttpd/files/patch-CVE-2008-1531
@@ -0,0 +1,119 @@
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2103)
++++ src/connections.c (revision 2136)
+@@ -200,4 +200,5 @@
+ 	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+ 
++	ERR_clear_error();
+ 	do {
+ 		if (!con->ssl_error_want_reuse_buffer) {
+@@ -1670,4 +1671,5 @@
+ 			if (srv_sock->is_ssl) {
+ 				int ret;
++				ERR_clear_error();
+ 				switch ((ret = SSL_shutdown(con->ssl))) {
+ 				case 1:
+@@ -1675,6 +1677,8 @@
+ 					break;
+ 				case 0:
+-					SSL_shutdown(con->ssl);
+-					break;
++					ERR_clear_error();
++					if ((ret = SSL_shutdown(con->ssl)) == 1) break;
++
++					// fall through
+ 				default:
+ 					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+Index: src/network_openssl.c
+===================================================================
+--- src/network_openssl.c (revision 2084)
++++ src/network_openssl.c (revision 2136)
+@@ -86,4 +86,5 @@
+ 			 */
+ 
++			ERR_clear_error();
+ 			if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
+ 				unsigned long err;
+@@ -188,4 +189,5 @@
+ 				close(ifd);
+ 
++				ERR_clear_error();
+ 				if ((r = SSL_write(ssl, s, toSend)) <= 0) {
+ 					unsigned long err;
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2136)
++++ src/connections.c (revision 2139)
+@@ -1670,5 +1670,6 @@
+ #ifdef USE_OPENSSL
+ 			if (srv_sock->is_ssl) {
+-				int ret;
++				int ret, ssl_r;
++				unsigned long err;
+ 				ERR_clear_error();
+ 				switch ((ret = SSL_shutdown(con->ssl))) {
+@@ -1678,14 +1679,40 @@
+ 				case 0:
+ 					ERR_clear_error();
+-					if ((ret = SSL_shutdown(con->ssl)) == 1) break;
++					if (-1 != (ret = SSL_shutdown(con->ssl))) break;
+ 
+ 					// fall through
+ 				default:
+-					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+-							SSL_get_error(con->ssl, ret),
+-							ERR_error_string(ERR_get_error(), NULL));
+-					return -1;
++
++					switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
++					case SSL_ERROR_WANT_WRITE:
++					case SSL_ERROR_WANT_READ:
++						break;
++					case SSL_ERROR_SYSCALL:
++						/* perhaps we have error waiting in our error-queue */
++						if (0 != (err = ERR_get_error())) {
++							do {
++								log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++										ssl_r, ret,
++										ERR_error_string(err, NULL));
++							} while((err = ERR_get_error()));
++						} else {
++							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
++									ssl_r, r, errno,
++									strerror(errno));
++						}
++	
++						break;
++					default:
++						while((err = ERR_get_error())) {
++							log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++									ssl_r, ret,
++									ERR_error_string(err, NULL));
++						}
++	
++						break;
++					}
+ 				}
+ 			}
++			ERR_clear_error();
+ #endif
+ 
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2139)
++++ src/connections.c (revision 2144)
+@@ -1681,5 +1681,5 @@
+ 					if (-1 != (ret = SSL_shutdown(con->ssl))) break;
+ 
+-					// fall through
++					/* fall through */
+ 				default:
+ 
+@@ -1698,5 +1698,5 @@
+ 						} else {
+ 							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
+-									ssl_r, r, errno,
++									ssl_r, ret, errno,
+ 									strerror(errno));
+ 						}