On Wed, 29 Nov 2017, trondd wrote: > >Synopsis: When running 'openssl ocsp' and specifying a -url and a bad > -host the result is a core dump and possible double free ... > When using openssl ocsp to try to make an OCSP verification request, there > is a core dump (double fee?) if you specify -url and then specify a bad > -host at the same time. Oddly, if you specify -host first, then -url, it > doesn't crash.
Yeah, combining -url with any of -host, -port, or -path should simply be an error, as -url specifies all three of them (plus http vs https). What's happening is that with -url we have to parse the argument into allocated host, port, and path strings which should be freed, but the -host argument resets the host variable with the raw argv pointer, which must _not_ be freed. Making this a usage error is the best solution, IMO. Bob and I are testing a diff to do so. Philip Guenther
