[openssl-dev] [openssl.org #4111] [PATCH] fix ssl3_free NULL dereference on out of memory condition
Willy TARREAU via RT
rt at openssl.org
Thu Oct 29 01:21:38 UTC 2015
Hello,
On Wed, Oct 28, 2015 at 10:33:11PM +0000, Kurt Roeckx via RT wrote:
> On Wed, Oct 28, 2015 at 12:58:09AM +0000, Willy TARREAU via RT wrote:
> > This patch fixes a NULL dereference issue when SSL_new() fails due to a
> > low memory condition. Here it is possible that ssl3_new() fails, but
> > despite this ssl3_free() is called along the error path and doesn't check
> > that s->s3 is valid before dereferencing it.
>
> This was actually already reported with the same patch last week.
Ah cool!
> But I want to look in the whole error handling of SSL_new().
For sure! The other patch touches SSL_new() as well and... it's not
the best place to be when an error occurs! But that's the problem
with any constructor, it's hard to perform the cleanup after things
are half-initialized.
> PS: Are you using some tool to try and find those issues?
No, just a customer with production traffic reporting a crash every
5 minutes :-) We enabled core dumps and found the two locations for
which I proposed a patch. At least these patches have fixed all the
issues in the lab, I'll wait for the customer's feedback. I'm still
having a doubt since the customer faced one segfault in libcrypto
which I have not reproduced, but since there were a lot of fixes in
this area between 1.0.1p and 1.0.1-stable, I picked all the pending
patches to see if they're enough to fix this issue for the customer.
That's all the information I can bring at the moment.
Best regards,
Willy
More information about the openssl-dev
mailing list