Browse Source

tls: fix segfault in pummel/test-tls-ci-reneg-attack

Commit 4e5fe2d changed the way how process.nextTick() works:

    process.nextTick(function foo() {
      process.nextTick(function bar() {
        // ...
      });
    });

Before said commit, foo() and bar() used to run on separate event loop ticks
but that is no longer the case.

However, that's exactly the behavior that the TLS renegotiation attack guard
relies on. It gets called by OpenSSL and needs to defer the 'error' event to a
later tick because the default action is to destroy the TLS context - the same
context that OpenSSL currently operates on.

When things change underneath your feet, bad things happen and OpenSSL is no
exception. Ergo, use setImmediate() instead of process.nextTick() to ensure
that the 'error' event is actually emitted at a later tick.

Fixes #3840.
v0.9.1-release
Ben Noordhuis 13 years ago
parent
commit
c492d43f48
  1. 2
      lib/tls.js

2
lib/tls.js

@ -702,7 +702,7 @@ function onhandshakestart() {
// Defer the error event to the next tick. We're being called from OpenSSL's // Defer the error event to the next tick. We're being called from OpenSSL's
// state machine and OpenSSL is not re-entrant. We cannot allow the user's // state machine and OpenSSL is not re-entrant. We cannot allow the user's
// callback to destroy the connection right now, it would crash and burn. // callback to destroy the connection right now, it would crash and burn.
process.nextTick(function() { setImmediate(function() {
var err = new Error('TLS session renegotiation attack detected.'); var err = new Error('TLS session renegotiation attack detected.');
if (self.cleartext) self.cleartext.emit('error', err); if (self.cleartext) self.cleartext.emit('error', err);
}); });

Loading…
Cancel
Save