Crash seen in "OPENSSL_sk_pop_free" API
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Aug 19 06:17:44 UTC 2021
On Thu, Aug 19, 2021 at 05:59:30AM +0000, Bala Duvvuri wrote:
> We invoke X509_verify_cert() during the certification verification and
> this fails (expectedly due to the missing CA certificate), so we
> invoke X509_STORE_CTX_free to clean up the "X509_STORE_CTX" context
> and hit this crash (this is not seen always)
>
> X509_STORE_new()
> X509_STORE_CTX_new()
> X509_STORE_set_verify_cb_func
What does your callback do?
> X509_STORE_set_default_paths
> X509_STORE_load_locations
> X509_STORE_CTX_init
> X509_STORE_CTX_set_flags
> X509_verify_cert --------------------> Fails with error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY as CA certificate is not present.
>
> /* Cleanup. */
> X509_STORE_CTX_free(pContext); -------------------->Crash seen here in sk_X509_pop_free
>
> 360 void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func)
> 361 {
> 362 int i;
> 363
> 364 if (st == NULL)
> 365 return;
> 366 for (i = 0; i < st->num; i++)
> 367 if (st->data[i] != NULL)---------------------> Crash seen here
If the backing array for stack points at invalid memory, then something
has already freed the stack.
Which OpenSSL versions exhibit this issue? Have you tried other (older
or newer) versions of OpenSSL to determine whether there's an OpenSSL
regression or more likely a bug in your code?
--
Viktor.
More information about the openssl-users
mailing list