From 4cee1248fcc3c18ea03672033f44c9e362d53a85 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 27 Oct 2015 20:31:57 +0100 Subject: Fix reference count on error path in SSL_new() This patch fixes a reference issue when SSL_new() fails due to a low memory condition. What happens is that a few error checks end up with a "goto err" statement which calls SSL_free() to clear what was allocated, but since this function first checks that s->references was exactly one before proceeding, the fact that the references is set to 1 only after a successful SSL_new() makes SSL_free() abort() on all prior errors. The proper fix consists in moving the references assignment just after initialization of 's' so that all the error path is properly covered. The error was repeatedly encountered on openssl 1.0.1p. Tests with newer versions were not made yet. (gdb) bt #0 0x0000000000534c5f in SSL_free (s=0x7fa89ee11700) at ssl_lib.c:524 #1 0x00000000005347f6 in SSL_new (ctx=0x274dec8) at ssl_lib.c:393 --- ssl/ssl_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d72756a..63b9814 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -299,6 +299,7 @@ SSL *SSL_new(SSL_CTX *ctx) if (s == NULL) goto err; memset(s, 0, sizeof(SSL)); + s->references = 1; /* to please SSL_free() along the "goto err" path */ #ifndef OPENSSL_NO_KRB5 s->kssl_ctx = kssl_ctx_new(); @@ -405,7 +406,6 @@ SSL *SSL_new(SSL_CTX *ctx) if (!s->method->ssl_new(s)) goto err; - s->references = 1; s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; SSL_clear(s); -- 1.7.12.1