[openssl-dev] [openssl.org #4111] [PATCH] fix ssl3_free NULL dereference on out of memory condition
Kurt Roeckx via RT
rt at openssl.org
Wed Oct 28 22:33:11 UTC 2015
On Wed, Oct 28, 2015 at 12:58:09AM +0000, Willy TARREAU via RT wrote:
> This patch fixes a NULL dereference issue when SSL_new() fails due to a
> low memory condition. Here it is possible that ssl3_new() fails, but
> despite this ssl3_free() is called along the error path and doesn't check
> that s->s3 is valid before dereferencing it.
This was actually already reported with the same patch last week.
But I want to look in the whole error handling of SSL_new().
PS: Are you using some tool to try and find those issues?
Kurt
More information about the openssl-dev
mailing list