SSL: fixed possible use-after-free in $ssl_server_name.
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 4b74cb3..88a6dbe 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3551,13 +3551,22 @@
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
- const char *servername;
+ size_t len;
+ const char *name;
- servername = SSL_get_servername(c->ssl->connection,
- TLSEXT_NAMETYPE_host_name);
- if (servername) {
- s->data = (u_char *) servername;
- s->len = ngx_strlen(servername);
+ name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
+
+ if (name) {
+ len = ngx_strlen(name);
+
+ s->len = len;
+ s->data = ngx_pnalloc(pool, len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_memcpy(s->data, name, len);
+
return NGX_OK;
}