OpenSslEngine may use networkBIO after calling shutdown
Motivation: To ensure that all bytes queued in OpenSSL/tcnative internal buffers we invoke SSL_shutdown again to stimulate OpenSSL to write any pending bytes. If this call fails we may call SSL_free and the associated shutdown method to free resources. At this time we may attempt to use the networkBIO which has already been freed and get a NPE. Modifications: - Don't call bioLengthByteBuffer(networkBIO) if we have called shutdown() in ReferenceCountedOpenSslEngine Result: Fixes https://github.com/netty/netty/issues/6466
This commit is contained in:
parent
b372a2f19f
commit
417eea8466
@ -34,7 +34,6 @@ import io.netty.util.internal.logging.InternalLoggerFactory;
|
||||
|
||||
import java.nio.ByteBuffer;
|
||||
import java.nio.ReadOnlyBufferException;
|
||||
import java.security.AlgorithmConstraints;
|
||||
import java.security.Principal;
|
||||
import java.security.cert.Certificate;
|
||||
import java.util.ArrayList;
|
||||
@ -458,9 +457,11 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
|
||||
// It is possible when the outbound was closed there was not enough room in the non-application
|
||||
// buffers to hold the close_notify. We should keep trying to close until we consume all the data
|
||||
// OpenSSL can give us.
|
||||
boolean didShutdown = doSSLShutdown();
|
||||
if (!doSSLShutdown()) {
|
||||
return newResultMayFinishHandshake(NOT_HANDSHAKING, 0, bytesProduced);
|
||||
}
|
||||
bytesProduced = bioLengthBefore - SSL.bioLengthByteBuffer(networkBIO);
|
||||
return newResultMayFinishHandshake(didShutdown ? NEED_WRAP : NOT_HANDSHAKING, 0, bytesProduced);
|
||||
return newResultMayFinishHandshake(NEED_WRAP, 0, bytesProduced);
|
||||
}
|
||||
|
||||
// Flush any data that may be implicitly generated by OpenSSL (handshake, close, etc..).
|
||||
@ -1023,6 +1024,10 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempt to call {@link SSL#shutdownSSL(long)}.
|
||||
* @return {@code false} if the call to {@link SSL#shutdownSSL(long)} was not attempted or returned an error.
|
||||
*/
|
||||
private boolean doSSLShutdown() {
|
||||
if (SSL.isInInit(ssl) != 0) {
|
||||
// Only try to call SSL_shutdown if we are not in the init state anymore.
|
||||
|
Loading…
x
Reference in New Issue
Block a user