This patch fixes a NULL dereference issue when SSL_new() fails due to a
low memory condition. Here it is possible that ssl3_new() fails, but
despite this ssl3_free() is called along the error path and doesn't check
that s->s3 is valid before dereferencing it. The first victim here is
ssl3_cleanup_key_block() but it can happen a few lines earlier depending
on the #ifdef.
Since ssl3_free() already used to check for the validity of its SSL
pointer argument, let's make it also check for s->s3 which it works on,
and make it ignore a NULL there.
The error was repeatedly encountered on openssl 1.0.1p. Tests with newer
versions were not made yet.
Backtrace below :
Program terminated with signal 11, Segmentation fault.
#0 0x000000000051e2a7 in ssl3_cleanup_key_block (s=0x245e4f0) at s3_enc.c:456
456 if (s->s3->tmp.key_block != NULL) {
(gdb) bt
#0 0x000000000051e2a7 in ssl3_cleanup_key_block (s=0x245e4f0) at s3_enc.c:456
#1 0x000000000051ab76 in ssl3_free (s=0x245e4f0) at s3_lib.c:2968
#2 0x0000000000528319 in tls1_free (s=0x245e4f0) at t1_lib.c:167
#3 0x0000000000534fba in SSL_free (s=0x245e4f0) at ssl_lib.c:597
#4 0x0000000000534802 in SSL_new (ctx=0x205e938) at ssl_lib.c:395
#
--- ./ssl/s3_lib.c.dist 2015-10-27 20:21:47.980188704 +0100
+++ ./ssl/s3_lib.c 2015-10-27 20:21:48.868193718 +0100
@@ -2955,7 +2955,7 @@
void ssl3_free(SSL *s)
{
- if (s == NULL)
+ if (s == NULL || s->s3 == NULL)
return;
#ifdef TLSEXT_TYPE_opaque_prf_input
_______________________________________________
openssl-bugs-mod mailing list
[email protected]
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
