[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

paul.dale at oracle.com paul.dale at oracle.com
Wed Jul 26 00:10:49 UTC 2017 

The branch OpenSSL_1_1_0-stable has been updated
       via  74ef4b8fb9c78f517c97c51a91af4bacba785ed6 (commit)
      from  738a9dd53cacce593cd7d67e18e1273549640a79 (commit)


- Log -----------------------------------------------------------------
commit 74ef4b8fb9c78f517c97c51a91af4bacba785ed6
Author: Pauli <paul.dale at oracle.com>
Date:   Wed Jul 26 10:04:05 2017 +1000

    Fix potential use-after-free and memory leak
    
    In function wait_for_async(), allocated async fds is freed if
    `SSL_get_all_async_fds` fails, but later `fds` is used. Interestingly,
    it is not freed when everything succeeds.
    
    Rewrite the FD set loop to make it more readable and to not modify the allocated
    pointer so it can be freed.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/3992)
    
    (cherry picked from commit 0a3452520fe4cd6871ae8b7c4199c6d5d4efe912)

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index cbf4e90..d3cb19d 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2575,6 +2575,7 @@ void wait_for_async(SSL *s)
     fd_set asyncfds;
     OSSL_ASYNC_FD *fds;
     size_t numfds;
+    size_t i;
 
     if (!SSL_get_all_async_fds(s, NULL, &numfds))
         return;
@@ -2583,17 +2584,17 @@ void wait_for_async(SSL *s)
     fds = app_malloc(sizeof(OSSL_ASYNC_FD) * numfds, "allocate async fds");
     if (!SSL_get_all_async_fds(s, fds, &numfds)) {
         OPENSSL_free(fds);
+        return;
     }
 
     FD_ZERO(&asyncfds);
-    while (numfds > 0) {
-        if (width <= (int)*fds)
-            width = (int)*fds + 1;
-        openssl_fdset((int)*fds, &asyncfds);
-        numfds--;
-        fds++;
+    for (i = 0; i < numfds; i++) {
+        if (width <= (int)fds[i])
+            width = (int)fds[i] + 1;
+        openssl_fdset((int)fds[i], &asyncfds);
     }
     select(width, (void *)&asyncfds, NULL, NULL, NULL);
+    OPENSSL_free(fds);
 #endif
 }

More information about the openssl-commits mailing list