Hello Robert,
thanks for the patch. Unfortunately the problem is the same :-(. 7FEF1B804640 peer address xxx.xxx.xxx.xxx /root/Pound-3.0/src/http.c:549 7FEF1B804640 start sni /root/Pound-3.0/src/util.c:157 7FEF1B804640 sni for XYZ /root/Pound-3.0/src/util.c:165 Segmentation fault Regards Sandrino On 17/05/2021 17:22, Robert Segall via pound wrote:
Hallo Sandrino Please replace the following function in config.c and let me know how it works for you. static SNI * get_one(char *filename) { SNI *res; mbedtls_x509_crt *cur; mbedtls_x509_name *nd; mbedtls_asn1_buf data; mbedtls_x509_sequence *san; regex_t *one_host; UT_array *hosts; UT_icd regex_icd = {sizeof(regex_t), NULL, NULL, NULL}; char buf[NI_MAXHOST]; int i, j; logmsg(1, "start get_one(%s) %s:%d", filename, __FILE__, __LINE__); if((res = malloc(sizeof(SNI))) == NULL) fatal("SNI: out of memory"); mbedtls_x509_crt_init(&res->certificate); if(mbedtls_x509_crt_parse_file(&res->certificate, filename)) fatal("SNI: can't read certificate %s", filename); mbedtls_pk_init(&res->key); if(mbedtls_pk_parse_keyfile(&res->key, filename, NULL)) fatal("SNI: can't read key %s", filename); utarray_new(hosts, ®ex_icd); for(cur = &res->certificate; cur != NULL; cur = cur->next) { if(mbedtls_pk_check_pair(&cur->pk, &res->key)) continue; for(nd = &cur->subject; nd != NULL; nd = nd->next) if(MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &nd->oid) == 0) { data = nd->val; memset(buf, '\0', NI_MAXHOST); for(i = j = 0; i < data.len; i++) if(data.p[i] == '*') { buf[j++] = '['; buf[j++] = '^'; buf[j++] = '.'; buf[j++] = ']'; buf[j++] = '+'; } else if(data.p[i] == '.') { buf[j++] = '\\'; buf[j++] = '.'; } else buf[j++] = data.p[i]; buf[j] = '\0'; logmsg(4, "get_one add pattern %s %s:%d", buf, __FILE__, __LINE__); if((one_host = (regex_t *)malloc(sizeof(regex_t))) == NULL) fatal("Can't alloc regex for %s",buf); if(regcomp(one_host, buf, REG_ICASE | REG_EXTENDED)) fatal("Certificate in %s: bad host name pattern %s",filename, buf); utarray_push_back(hosts, one_host); } for(san = &cur->subject_alt_names; san != NULL; san = san-next)if(san->buf.tag == 130) { /* 130 seems to be the OID for DNS entries */ data = san->buf; memset(buf, '\0', NI_MAXHOST); for(i = j = 0; i < data.len; i++) if(data.p[i] == '*') { buf[j++] = '['; buf[j++] = '^'; buf[j++] = '.'; buf[j++] = ']'; buf[j++] = '+'; } else if(data.p[i] == '.') { buf[j++] = '\\'; buf[j++] = '.'; } else buf[j++] = data.p[i]; buf[j] = '\0'; logmsg(4, "get_one add pattern %s %s:%d", buf, __FILE__, __LINE__); if((one_host = (regex_t *)malloc(sizeof(regex_t))) == NULL) fatal("Can't alloc regex for %s",buf); if(regcomp(one_host, buf, REG_ICASE | REG_EXTENDED)) fatal("Certificate in %s: bad host name pattern %s",filename, buf); utarray_push_back(hosts, one_host); } if((res->host = calloc(utarray_len(hosts), sizeof(regex_t))) == NULL) fatal("SNI: out of memory"); res->host_len = utarray_len(hosts); for(i = 0; i < res->host_len; i++) res->host[i] = *((regex_t *)utarray_eltptr(hosts, i)); utarray_free(hosts); } logmsg(4, "get_one: added %d patterns %s:%d", res->host_len, __FILE__, __LINE__); return res; }
-- pound mailing list [email protected] https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
