The note below applies to openssl-0.9.6a distribution. [ssl_comp_methods] variable defined in ssl\ssl_ciph.c:77 is neither reference counted nor has a proper ownership management routines. Consider the following call sequence: 1: SSL_CTX * ctx = 0; 2: SSL * ssl = 0; 3: 4: SSL_COMP_get_compression_methods(id, method); 5: 6: ctx = SSL_CTX_new(SSLv3_client_method()); 7: ssl = SSL_new(ctx); 8: 9: SSL_free(ssl); Line 4 initializes [ssl_comp_methods] variable to some non-null value. Line 6 expands into the following call sequence: ssl_lib.c:1199 - ret->comp_methods=SSL_COMP_get_compression_methods(); ssl_ciph.c:1048 - return(ssl_comp_methods); This means that [ssl_comp_methods] value is simply copied to [ctx->comp_methods]. Line 9 expands into : ssl_lib.c:376 - if (s->ctx) SSL_CTX_free(s->ctx); ssl_lib.c:1250 - sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); stack.c:289 - sk_free(st); This means that instance of COMP_stack pointed *both* by [cts->comp_methods] and [ssl_comp_methods] is getting destroyed and [ssl_comp_methods] will be pointing to garbage. Moreover, since it's not zerified, all subsequent calls to SSL_COMP_get_compression_methods() will crash, and calls to SSL_CTX_new() will return partially invalid context. I am not subsribed to any of openssl mailing lists, so if you'd like to reply - please, reply directly. regards, alex. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
