Fix bug #73072 (Invalid path SNI_server_certs causes segfault)

3 files changed, 55 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index e7b8becb2c..b7f466dc2e 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,10 @@ PHP                                                                        NEWS
   . Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
     (Keyur) (julien backport)
 
+- OpenSSL:
+  . Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
+    (Jakub Zelenka)
+
 - Session:
   . Fixed bug #68015 (Session does not report invalid uid for files save handler).
     (Yasuo)
diff --git a/ext/openssl/tests/bug73072.phpt b/ext/openssl/tests/bug73072.phpt
new file mode 100644
index 0000000000..cc352233e1
--- /dev/null
+++ b/ext/openssl/tests/bug73072.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Bug #73072: Invalid path SNI_server_certs causes segfault
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip openssl not loaded");
+?>
+--FILE--
+<?php
+$serverCode = <<<'CODE'
+    $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+	$ctx = stream_context_create(['ssl' => [
+	    'local_cert' => __DIR__ . '/domain1.pem',
+		'SNI_server_certs' => [
+		    "domain1.com" => __DIR__ . "/sni_server_domain1.pem",
+			"domain2.com" => __DIR__ . "/not_existing.pem",
+		]
+	]]);
+
+    $server = stream_socket_server('tls://127.0.0.1:64322', $errno, $errstr, $flags, $ctx);
+
+    phpt_notify();
+	@stream_socket_accept($server, 3);
+	// if there is a segfault, this won't be called
+	fwrite(STDERR, "done\n");
+CODE;
+
+$clientCode = <<<'CODE'
+    $flags = STREAM_CLIENT_CONNECT;
+	$ctxArr = [
+	    'cafile' => __DIR__ . '/sni_server_ca.pem',
+		'capture_peer_cert' => true
+	];
+
+    phpt_wait();
+
+    $ctxArr['peer_name'] = 'domain1.com';
+	$ctx = stream_context_create(['ssl' => $ctxArr]);
+	@stream_socket_client("tls://127.0.0.1:64322", $errno, $errstr, 1, $flags, $ctx);
+CODE;
+
+include 'ServerClientTestCase.inc';
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+?>
+--EXPECT--
+done
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index bd4d24efde..d5490331d6 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -1355,6 +1355,7 @@ static int enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *s
 	sslsock->sni_certs = (php_openssl_sni_cert_t*)safe_pemalloc(sslsock->sni_cert_count,
 		sizeof(php_openssl_sni_cert_t), 0, php_stream_is_persistent(stream)
 	);
+	memset(sslsock->sni_certs, 0, sslsock->sni_cert_count * sizeof(php_openssl_sni_cert_t));
 
 	for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(val), &pos);
 		zend_hash_get_current_data_ex(Z_ARRVAL_PP(val), (void **)&current, &pos) == SUCCESS;
@@ -2053,9 +2054,11 @@ static int php_openssl_sockop_close(php_stream *stream, int close_handle TSRMLS_
 	}
 
 	if (sslsock->sni_certs) {
-		for (i=0; i<sslsock->sni_cert_count; i++) {
-			SSL_CTX_free(sslsock->sni_certs[i].ctx);
-			pefree(sslsock->sni_certs[i].name, php_stream_is_persistent(stream));
+		for (i = 0; i < sslsock->sni_cert_count; i++) {
+			if (sslsock->sni_certs[i].ctx) {
+				SSL_CTX_free(sslsock->sni_certs[i].ctx);
+				pefree(sslsock->sni_certs[i].name, php_stream_is_persistent(stream));
+			}
 		}
 		pefree(sslsock->sni_certs, php_stream_is_persistent(stream));
 		sslsock->sni_certs = NULL;