<div>                <br>Viktor,<br><br>Thank you for taking a look.<br><br>We are not invoking either of the API X509_STORE_CTX_get0_chain/X509_STORE_CTX_get1_chain<br><br>We invoke X509_verify_cert() during the certification verification and this fails (expectedly due to the missing CA certificate), so we invoke X509_STORE_CTX_free to clean up the "X509_STORE_CTX" context and hit this crash (this is not seen always)<br><br>X509_STORE_new()<br>X509_STORE_CTX_new()<br>X509_STORE_set_verify_cb_func<br>X509_STORE_set_default_paths<br>X509_STORE_load_locations<br>X509_STORE_CTX_init<br>X509_STORE_CTX_set_flags<br>X509_verify_cert                             --------------------> Fails with error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY as CA certificate is not present.<br><br>/* Cleanup. */<br>X509_STORE_CTX_free(pContext);  -------------------->Crash seen here in  sk_X509_pop_free<br><br>360 void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func)<br>361 {<br>362    int i;<br>363<br>364    if (st == NULL)<br>365        return;<br>366    for (i = 0; i < st->num; i++)<br>367        if (st->data[i] != NULL)---------------------> Crash seen here<br>368            func((char *)st->data[i]);<br>369    OPENSSL_sk_free(st);<br>370 }<br><br>Thanks<br>Bala<br>            </div>            <div class="yahoo_quoted" style="margin:10px 0px 0px 0.8ex;border-left:1px solid #ccc;padding-left:1ex;">                        <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">                                <div>                    On Monday, 16 August, 2021, 11:40:24 pm IST, Viktor Dukhovni <openssl-users@dukhovni.org> wrote:                </div>                <div><br></div>                <div><br></div>                <div><div dir="ltr">> On 16 Aug 2021, at 5:58 am, Bala Duvvuri via openssl-users <<a shape="rect" ymailto="mailto:openssl-users@openssl.org" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>> wrote:<div class="yqt0106192425" id="yqtfd05195"><br clear="none">> <br clear="none">> We are using OpenSSl version 1.1.1d in our program and crash is being seen in "OPENSSL_sk_pop_free" API, we invoke this API in our certificate verification API. Since crash is not seen always, trying to understand from OpenSSL code, when can this occur?<br clear="none">> <br clear="none">> Below is the bt of the crash<br clear="none">> <br clear="none">> #0  0x0f31f438 in OPENSSL_sk_pop_free (st=0x1041de20, func=0xf34d5b0 <X509_free>) at crypto/stack/stack.c:367<br clear="none">> #1  0x0f344c74 in sk_X509_pop_free (freefunc=<optimized out>, sk=<optimized out>) at include/openssl/x509.h:99<br clear="none">> #2  X509_STORE_CTX_cleanup (ctx=<a shape="rect" ymailto="mailto:ctx@entry" href="mailto:ctx@entry">ctx@entry</a>=0x1041ba70) at crypto/x509/x509_vfy.c:2454<br clear="none">> #3  0x0f344cf4 in X509_STORE_CTX_free (ctx=<a shape="rect" ymailto="mailto:ctx@entry" href="mailto:ctx@entry">ctx@entry</a>=0x1041ba70) at crypto/x509/x509_vfy.c:2281</div><br clear="none"><br clear="none">The call in question frees the certificate chain built by X509_verify_cert().<br clear="none"><br clear="none">    sk_X509_pop_free(ctx->chain, X509_free);<br clear="none"><br clear="none">That chain is owned by the X509_STORE_CTX.  You probably made the<br clear="none">mistake of freeing it (or one of the certificates in question) yourself.<br clear="none">There are two functions for accessing the built chain:<br clear="none"><br clear="none">STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)<br clear="none">{<br clear="none">    return ctx->chain;<br clear="none">}<br clear="none"><br clear="none">STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)<br clear="none">{<br clear="none">    if (!ctx->chain)<br clear="none">        return NULL;<br clear="none">    return X509_chain_up_ref(ctx->chain);<br clear="none">}<br clear="none"><br clear="none">If you call X509_STORE_CTX_get0_chain(3), you MUST NOT free the result.<br clear="none">If you call X509_STORE_CTX_get1_chain(3), you own the chain copy, and<br clear="none">should free the result when you no longer need it.<br clear="none"><br clear="none">-- <br clear="none">    Viktor.<div class="yqt0106192425" id="yqtfd16258"><br clear="none"><br clear="none"></div></div></div>            </div>                </div>