BIO_flush Segmentation Fault Issue

Jay Foster jayf0ster at
Thu Sep 29 20:02:48 UTC 2022

I have an application that constructs a chain of BIOs.  Sometimes this 
chain also includes an SSL BIO.  Years ago, I ran into a problem that 
caused BIO_flush() to segfault on the SSL BIO.  This turned out to 
happen because the SSL BIO is added using SSL_set_bio() instead of 
BIO_push().  SSL_set_bio() results in the SSL BIO always having a NULL 
bio_next value, so BIO_flush then crashes dereferencing this NULL 
pointer when it calls BIO_copy_next_retry() on the SSL BIO (see 
BIO_CTRL_FLUSH in ssl/bio_ssl.c).

This was reported as ticket 2615 years ago.

My question is, how could calling BIO_flush() on a BIO chain with an SSL 
BIO ever work?  Is there a way to add the SSL BIO using BIO_push() 
instead of SSL_set_bio()?


More information about the openssl-users mailing list