add length validation for Lock-Token to prevent underflow

metsw24-max · metsw24-max · commit 5bbf9675ceb2 · 2026-03-24T19:52:21.000+05:30
diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
@@ -179,13 +179,13 @@ apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx,
      * are used to give a better idea as to what failed.
      */
     if (pkey_mtime) {
-        ssl_asn1_t *asn1 = ssl_asn1_table_get(mc->retained->privkeys, key_id);
-        if (asn1 && (asn1->source_mtime == pkey_mtime)) {
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02575)
-                         "Reusing existing private key from %s on restart",
-                         ppcb_arg.pkey_file);
-            return APR_SUCCESS;
-        }
+    ssl_asn1_t *asn1 = ssl_asn1_table_get(mc->retained->privkeys, key_id);
+    if (asn1 && (asn1->source_mtime == pkey_mtime)) {
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02575)
+                     "Reusing existing private key from %s on restart",
+                     ppcb_arg.pkey_file);
+        return APR_SUCCESS;
+    }
     }
 
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02576)
@@ -338,6 +338,11 @@ apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx,
     /* Cache the private key in the global module configuration so it
      * can be used after subsequent reloads. */
     asn1 = ssl_asn1_table_set(mc->retained->privkeys, key_id, pPrivateKey);
+    if (!asn1) {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+                    "mod_ssl: Failed to cache private key");
+        return ssl_die(s);
+    }
 
     if (ppcb_arg.nPassPhraseDialogCur != 0) {
         /* remember mtime of encrypted keys */
@@ -1024,4 +1029,4 @@ apr_status_t modssl_load_engine_keypair(server_rec *s,
                  vhostid, certid ? certid : "no cert", keyid);
     return APR_ENOTIMPL;
 #endif
-}
+}
diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
@@ -201,7 +201,14 @@ ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
 {
     apr_ssize_t klen = strlen(key);
     ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
-    apr_size_t length = i2d_PrivateKey(pkey, NULL);
+    int derlen = i2d_PrivateKey(pkey, NULL);
+    if (derlen <= 0) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                     "mod_ssl: Failed to encode private key");
+        return NULL;
+    }
+
+    apr_size_t length = (apr_size_t)derlen;
     unsigned char *p;
 
     /* Re-use structure if cached previously. */
@@ -220,7 +227,11 @@ ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
 
     asn1->nData = length;
     p = asn1->cpData;
-    i2d_PrivateKey(pkey, &p); /* increases p by length */
+    if (i2d_PrivateKey(pkey, &p) != derlen) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                     "mod_ssl: Failed to serialize private key");
+        return NULL;
+    }
 
     return asn1;
 }
@@ -506,4 +517,4 @@ int modssl_is_engine_id(const char *name)
 #else
     return 0;
 #endif
-}
+}
