From 1e2569973101aaccdbb0c552948134cb1a58a7fd Mon Sep 17 00:00:00 2001
From: Qijiang Fan <fqj1994@gmail.com>
Date: Tue, 30 Dec 2014 22:51:33 +0800
Subject: ssl: deny recursively defined sni_hosts

---
 lib/ssl/src/ssl.erl | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 54cc5e71b6..cebfb9e5ce 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -885,7 +885,13 @@ validate_option(server_name_indication, undefined) ->
 validate_option(sni_hosts, []) ->
     [];
 validate_option(sni_hosts, [{Hostname, SSLOptions} | Tail]) when is_list(Hostname) ->
-	[{Hostname, validate_options(SSLOptions)} | validate_option(sni_hosts, Tail)];
+	RecursiveSNIOptions = proplists:get_value(sni_hosts, SSLOptions, undefined),
+	case RecursiveSNIOptions of
+		undefined ->
+			[{Hostname, validate_options(SSLOptions)} | validate_option(sni_hosts, Tail)];
+		_ ->
+			throw({error, {options, {sni_hosts, RecursiveSNIOptions}}})
+	end;
 validate_option(honor_cipher_order, Value) when is_boolean(Value) ->
     Value;
 validate_option(padding_check, Value) when is_boolean(Value) ->
-- 
cgit v1.2.3