trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shinr...@apache.org
Subject [trafficserver] branch master updated: traffic_dump: add nullptr check for sni string (#6700)
Date Thu, 23 Apr 2020 15:10:51 GMT
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 8b466db  traffic_dump: add nullptr check for sni string (#6700)
8b466db is described below

commit 8b466dba074d76e5a7a426d0da9d04ce3cb252f0
Author: Brian Neradt <brian.neradt@gmail.com>
AuthorDate: Thu Apr 23 10:10:16 2020 -0500

    traffic_dump: add nullptr check for sni string (#6700)
    
    Co-authored-by: bneradt <bneradt@verizonmedia.com>
---
 plugins/experimental/traffic_dump/traffic_dump.cc     | 12 +++++++++---
 .../pluginTest/traffic_dump/gold/200_bob_no_sni.gold  |  7 +++++++
 .../traffic_dump/traffic_dump_sni_filter.test.py      | 19 +++++++++++++++++--
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/plugins/experimental/traffic_dump/traffic_dump.cc b/plugins/experimental/traffic_dump/traffic_dump.cc
index 34ca15d..938d640 100644
--- a/plugins/experimental/traffic_dump/traffic_dump.cc
+++ b/plugins/experimental/traffic_dump/traffic_dump.cc
@@ -616,10 +616,16 @@ global_ssn_handler(TSCont contp, TSEvent event, void *edata)
         TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore non-HTTPS session %" PRId64 "...",
id);
         break;
       }
-      const std::string sni = SSL_get_servername(ssl_obj, TLSEXT_NAMETYPE_host_name);
-      if (sni != sni_filter) {
-        TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-filtered
SNI: %s", sni.c_str());
+      const char *sni_ptr = SSL_get_servername(ssl_obj, TLSEXT_NAMETYPE_host_name);
+      if (sni_ptr == nullptr) {
+        TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-existent
SNI.");
         break;
+      } else {
+        const std::string sni{sni_ptr};
+        if (sni != sni_filter) {
+          TSDebug(PLUGIN_NAME, "global_ssn_handler(): Ignore HTTPS session with non-filtered
SNI: %s", sni.c_str());
+          break;
+        }
       }
     }
     const auto this_session_count = session_counter++;
diff --git a/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold b/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold
new file mode 100644
index 0000000..9638e10
--- /dev/null
+++ b/tests/gold_tests/pluginTest/traffic_dump/gold/200_bob_no_sni.gold
@@ -0,0 +1,7 @@
+``
+> GET / HTTP/2
+> Host: bob--cert
+``
+< HTTP/2 200 
+< content-length: 0
+``
diff --git a/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py b/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py
index 9b02065..ff656d5 100644
--- a/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py
+++ b/tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py
@@ -102,12 +102,17 @@ ts.Disk.File(replay_file_session_1, exists=True)
 replay_file_session_2 = os.path.join(replay_dir, "127", "0000000000000001")
 ts.Disk.File(replay_file_session_2, exists=False)
 
+# The third session should also be filtered out because it doesn't have any
+# SNI (note exists is set to False).
+replay_file_session_2 = os.path.join(replay_dir, "127", "0000000000000002")
+ts.Disk.File(replay_file_session_2, exists=False)
+
 #
 # Test 1: Verify dumping a session with the desired SNI and not dumping
 #         the session with the other SNI.
 #
 
-# Execute the first transaction.
+# Execute the first transaction with an SNI of bob.
 tr = Test.AddTestRun("Verify dumping of a session with the filtered SNI")
 tr.Setup.Copy("ssl/signed-foo.pem")
 tr.Setup.Copy("ssl/signed-foo.key")
@@ -121,7 +126,7 @@ tr.Processes.Default.Streams.stderr = "gold/200_sni_bob.gold"
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
 
-# Execute the second transaction.
+# Execute the second transaction with an SNI of dave.
 tr = Test.AddTestRun("Verify that a session of a different SNI is not dumped.")
 tr.Processes.Default.Command = \
         ('curl --tls-max 1.2 -k -H"Host: dave" --resolve "dave:{0}:127.0.0.1" '
@@ -131,6 +136,16 @@ tr.Processes.Default.Streams.stderr = "gold/200_sni_dave.gold"
 tr.StillRunningAfter = server
 tr.StillRunningAfter = ts
 
+# Execute the third transaction without any SNI.
+tr = Test.AddTestRun("Verify that a session of a non-existent SNI is not dumped.")
+tr.Processes.Default.Command = \
+        ('curl --tls-max 1.2 -k -H"Host: bob"'
+         '--cert ./signed-foo.pem --key ./signed-foo.key --verbose https://127.0.0.1:{0}'.format(ts.Variables.ssl_port))
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stderr = "gold/200_bob_no_sni.gold"
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+
 # Verify the properties of the replay file for the dumped transaction.
 tr = Test.AddTestRun("Verify the json content of the first session")
 verify_replay = "verify_replay.py"


Mime
View raw message