From 26dd07d478ef2e9e02f8c27e6114f3e83da3d0f7 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 2 Nov 2015 13:43:16 +0100
Subject: Fix a null dereference in ssl3_free() upon error

This patch fixes a NULL dereference issue when SSL_new() fails due to a
low memory condition. Here it is possible that ssl3_new() fails, but
despite this ssl3_free() is called along the error path and doesn't check
that s->s3 is valid before dereferencing it. The first victim here is
ssl3_cleanup_key_block() but it can happen a few lines earlier depending
on the #ifdef.

Since ssl3_free() already used to check for the validity of its SSL
pointer argument, let's make it also check for s->s3 which it works on,
and make it ignore a NULL there.

The error was repeatedly encountered on openssl 1.0.1p. Tests with newer
versions were not made yet.

Backtrace below :

Program terminated with signal 11, Segmentation fault.
456         if (s->s3->tmp.key_block != NULL) {
(gdb) bt
 #0  0x000000000051e2a7 in ssl3_cleanup_key_block (s=0x245e4f0) at s3_enc.c:456
 #1  0x000000000051ab76 in ssl3_free (s=0x245e4f0) at s3_lib.c:2968
 #2  0x0000000000528319 in tls1_free (s=0x245e4f0) at t1_lib.c:167
 #3  0x0000000000534fba in SSL_free (s=0x245e4f0) at ssl_lib.c:597
 #4  0x0000000000534802 in SSL_new (ctx=0x205e938) at ssl_lib.c:395
---
 ssl/s3_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ad9eeb6..64793d6 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2983,7 +2983,7 @@ int ssl3_new(SSL *s)
 
 void ssl3_free(SSL *s)
 {
-    if (s == NULL)
+    if (s == NULL || s->s3 == NULL)
         return;
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
-- 
1.7.12.1