[openssl-dev] [openssl.org #3698] Bug: Ref count issue in SSL_new may cause a crash in SSL_free if REF_CHECK is defined
Narendra Meka via RT
rt at openssl.org
Fri Feb 13 14:07:28 UTC 2015
In SSL_new, s->references is set to 1 AFTER ssl_new successfully completes. If it errors out, SSL_free() is called which decrements it but since it was never set to 1, it will cause a crash if REF_CHECK is defined since i will be less than zero. There are also a few other "goto err" cases in SSL_new before the s->references is set to 1.
SSL_new Code:
if (!s->method->ssl_new(s))
goto err;
s->references=1;
Error handling:
err:
if (s != NULL)
SSL_free(s);
SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
return(NULL);
SSL_Free code:
if(s == NULL)
return;
i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
#ifdef REF_PRINT
REF_PRINT("SSL",s);
#endif
if (i > 0) return;
#ifdef REF_CHECK
if (i < 0)
{
fprintf(stderr,"SSL_free, bad reference count\n");
abort(); /* ok */
}
#endif
Thanks
Narendra Meka
Cisco Systems
More information about the openssl-dev
mailing list