BIO_flush Segmentation Fault Issue
Jay Foster
jayf0ster at roadrunner.com
Thu Sep 29 20:02:48 UTC 2022
I have an application that constructs a chain of BIOs. Sometimes this
chain also includes an SSL BIO. Years ago, I ran into a problem that
caused BIO_flush() to segfault on the SSL BIO. This turned out to
happen because the SSL BIO is added using SSL_set_bio() instead of
BIO_push(). SSL_set_bio() results in the SSL BIO always having a NULL
bio_next value, so BIO_flush then crashes dereferencing this NULL
pointer when it calls BIO_copy_next_retry() on the SSL BIO (see
BIO_CTRL_FLUSH in ssl/bio_ssl.c).
This was reported as ticket 2615 years ago.
My question is, how could calling BIO_flush() on a BIO chain with an SSL
BIO ever work? Is there a way to add the SSL BIO using BIO_push()
instead of SSL_set_bio()?
Jay
More information about the openssl-users
mailing list