[openssl-dev] [openssl.org #4159] BUG ::: Null dereference in ssl3_free
Srinivas Koripella via RT
rt at openssl.org
Sun Nov 29 11:09:34 UTC 2015
Description.
We are dereferencing s->s3 in ssl3_free without checking if s->s3 is null or not.
s->s3 can be null because of the below code path.
SSL_new--> ssl3_new/tls1_new (via s->method->ssl_new) which allocates s3 and assigns s->s3 if successful. If not s->s3 will remain null as we memset entire contents of s to zero on allocation in SSL_new.
However in SSL_new on return from the above s->method->ssl_new we go to err and call SSL_free which always calls s->method->ssl_free with us landing in ssl3_free with s->s3 as NULL.
The fix should be to check for s->s3 and retrun if it is NULL immediately in ssl3_free before dereferencing it.
Srinivas
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list