Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: Fix uninitialized variable use in NPN callback

From: Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com>
Date: Thu, 22 May 2014 08:30:18 +0900

2014/05/22 2:05 "Fabian Frank" <fabian.frank.de_at_gmail.com>:
>
> On May 21, 2014, at 7:55 AM, Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com>
wrote:
>
> > OpenSSL passes out and outlen variable uninitialized to
> > select_next_proto_cb callback function. If the callback function
> > returns SSL_TLSEXT_ERR_OK, the caller assumes the callback filled
> > values in out and outlen and processes as such. Previously, if there
> > is no overlap in protocol lists, curl code does not fill any values in
> > these variables and returns SSL_TLSEXT_ERR_OK, which means we are
> > triggering undefined behavior. valgrind warns this.
>
> In line 1430 we completely delegate this functionality to nghttp2, see
their implementation of the callback:
> https://github.com/tatsuhiro-t/nghttp2/blob/master/lib/nghttp2_npn.c#L29
>
> I would recommend that we fix this in nghttp2, what do you think?
>

Since it depends on the application to select which protocol in non
overlapped case, nghttp2_select_next_proto cannot fill anything. For
example, http2 only client wants to http/2. Also this function can be used
for ALPN, in that case, we can just return SSL_TLSEXT_ERR_NOACK to abort
handshake without selection.

>
> > This patch fixes this issue by filling HTTP/2 protocol identifier
> > nghttp2 library supports when there is no overlap. Unlike ALPN, NPN
> > specification https://technotes.googlecode.com/git/nextprotoneg.html
> > says that client should select first protocol it supports if there is
> > no overlap.
>
> I don’t think that it’s feasible to always fall back to HTTP2, it
> means we are almost guaranteed to fail. Falling back to HTTP 1.1 makes
more sense.
> We should consider HTTP 1.1 our first protocol.
>

Using http/1.1 works for me.

Best regards,
Tatsuhiro Tsujikawa

>
> Regards,
> Fabian
>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-05-22