Crash seen in "OPENSSL_sk_pop_free" API

Viktor Dukhovni openssl-users at
Mon Aug 16 16:14:42 UTC 2021

> On 16 Aug 2021, at 5:58 am, Bala Duvvuri via openssl-users <openssl-users at> wrote:
> We are using OpenSSl version 1.1.1d in our program and crash is being seen in "OPENSSL_sk_pop_free" API, we invoke this API in our certificate verification API. Since crash is not seen always, trying to understand from OpenSSL code, when can this occur?
> Below is the bt of the crash
> #0  0x0f31f438 in OPENSSL_sk_pop_free (st=0x1041de20, func=0xf34d5b0 <X509_free>) at crypto/stack/stack.c:367
> #1  0x0f344c74 in sk_X509_pop_free (freefunc=<optimized out>, sk=<optimized out>) at include/openssl/x509.h:99
> #2  X509_STORE_CTX_cleanup (ctx=ctx at entry=0x1041ba70) at crypto/x509/x509_vfy.c:2454
> #3  0x0f344cf4 in X509_STORE_CTX_free (ctx=ctx at entry=0x1041ba70) at crypto/x509/x509_vfy.c:2281

The call in question frees the certificate chain built by X509_verify_cert().

    sk_X509_pop_free(ctx->chain, X509_free);

That chain is owned by the X509_STORE_CTX.  You probably made the
mistake of freeing it (or one of the certificates in question) yourself.
There are two functions for accessing the built chain:

STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
    return ctx->chain;

STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
    if (!ctx->chain)
        return NULL;
    return X509_chain_up_ref(ctx->chain);

If you call X509_STORE_CTX_get0_chain(3), you MUST NOT free the result.
If you call X509_STORE_CTX_get1_chain(3), you own the chain copy, and
should free the result when you no longer need it.


More information about the openssl-users mailing list