Crash seen in OPENSSL_sk_pop_free

Fri Aug 13 16:41:01 UTC 2021

On 13/08/2021 17:31, Bala Duvvuri via openssl-users wrote:
> Hi All,
> 
> We are using OpenSSl version 1.1.1d in our program and crash is being seen in "OPENSSL_sk_pop_free" API, we invoke this API in our certificate verification API. Since crash is not seen always, trying to understand from OpenSSL code, when can this occur?

My first suspicion would be a double-free, i.e. calling a free routine 
on data that has already been freed. You might like to compile OpenSSL 
and your application with asan (use the enable-asan compile time 
Configure option for OpenSSL) and see if anything shows up.

Matt

> 
> Below is the bt of the crash
> 
> #0  0x0f31f438 in OPENSSL_sk_pop_free (st=0x1041de20, func=0xf34d5b0 <X509_free>) at crypto/stack/stack.c:367
>          i = 0
> #1  0x0f344c74 in sk_X509_pop_free (freefunc=<optimized out>, sk=<optimized out>) at include/openssl/x509.h:99
> No locals.
> #2  X509_STORE_CTX_cleanup (ctx=ctx at entry=0x1041ba70) at crypto/x509/x509_vfy.c:2454
> No locals.
> #3  0x0f344cf4 in X509_STORE_CTX_free (ctx=ctx at entry=0x1041ba70) at crypto/x509/x509_vfy.c:2281
> No locals
> ....
> 
> Below is the OpenSSL API
> 
> 360 void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func)
> 361 {
> 362     int i;
> 363
> 364     if (st == NULL)
> 365         return;
> 366     for (i = 0; i < st->num; i++)
> 367         if (st->data[i] != NULL)---------------------> Crash seen here
> 368             func((char *)st->data[i]);
> 369     OPENSSL_sk_free(st);
> 370 }
> 
> Can someone please help to understand under what conditions this can happen?
> 
> We use the below API's during certificate verification:
> 
> X509_STORE_new()
> X509_STORE_CTX_new()
> X509_STORE_set_verify_cb_func
> X509_STORE_set_default_paths
> X509_STORE_load_locations
> X509_STORE_CTX_init
> X509_STORE_CTX_set_flags
> X509_verify_cert
> 
> /* Cleanup. */
> FREE_X509_STORE_CTX(pContext);
> 
> Thanks
> Bala
> 