In crypto/mem_dbg.c, the type of static function pop_info() is to return an APP_INFO*. This pointer can be a dangling pointer, as can be seen in the following link as long as one assumes that line 382 is reachable (it is).
https://github.com/openssl/openssl/blob/90945fa31a42dcf3beb90540c618e4d627c595ea/crypto/mem_dbg.c#L382-L386 Returning a dangling pointer from a function is not terribly good style. Using dangling pointers for anything is technically undefined behavior, so there is nothing in theory that a caller can do with the function's result that will not be illegal when a dangling pointer is returned. (It is well-known that dereferencing dangling pointers is undefined behavior, but examples at http://blog.regehr.org/archives/767#comment-4717 and at http://trust-in-soft.com/dangling-pointer-indeterminate/ show that the behavior of a program the *only* fault of which is to compare a dangling pointer to something else can be surprising too). The function pop_info() being static, no-one may use it outside mem_dbg.c and the callers inside mem_dbg.c do not dereference the returned pointer. They do use it in a comparison though, which should ideally be avoided because of the examples above. The attached patch does three small things: - change the type of the function to return an int: 1 if the pointer ret was non-null before being possibly freed, 0 otherwise, and adjust the two call sites correspondingly; - add a one-line comment describing the behavior of the function; - rename the local variable ret, the name of which no longer makes sense, into "current". None of these three things should change the behavior in practice of OpenSSL. As compiled with current C compilers, the tests "pop_info() != NULL" evaluated to 1 when a dangling pointer was returned. These tests were replaced with "pop_info()" which now evaluates to 1 under the circumstances in which a dangling pointer was returned.
Description: Binary data
_______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev