Date: Tue, 29 Oct 2002 07:46:20 -0800 From: "john r. durand" <jrd@real.com> Subject: patch i have attached an stunnel patch for version 4.02 that optionally adds an X-Forwarded-For header for HTTP connections. this header includes the originating IP address for the connection. we needed this feature at RealNetworks because we use and stunnel-based SSL accelerator architecture. all SSL traffic is proxied by a set of boxes that negotiate the SSL connection with stunnel and pass the unencrypted data to a standard web server farm. that farm needs to log the original IP address for the request. my changes are provided without any restrictions and can be freely integrated into the base source for stunnel. in fact, i would be very happy to see that happen as it would prevent me from having to merge the changes into each new release. please let me know if you have any interest in accepting these changes (or if you would like me to post them to the mailing list, etc.) thanks. john r. durand ------------------------------------------------------------------------------- Date: Mon, 11 Nov 2002 12:33:29 +0100 From: Michal Trojnara Subject: Re: patch There's a remote buffer overflow security hole in your patch. memmove() can be called when c->ssl_ptr+num+c->header_length>=BUFFSIZE. The next problem is that non-mt-safe inet_ntoa() is called outside of a critical section. There are possibly other bugs. The most difficult to fix seems to be that your patch doesn't support persistent connections: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.10 This is why I'm not going to support HTTP protocol. It's not as easy to do it correctly as it seems to be. 8-( http://whatis.techtarget.com/definition/0,,sid9_gci521694,00.html Best regards, Mike