Re: Custom free routine is invoked with NULL argument in openssl 1.0.1

Fri, 25 May 2012 08:41:43 -0700 

On Thu, May 24, 2012 at 8:16 AM, Sudarshan Raghavan
<[email protected]> wrote:
> Hi,
>
> I am using CRYPTO_set_mem_functions to use our own custom memory
> routines in a non blocking proxy implementation. This was working fine
> in 0.9.8 and 1.0.0 but with 1.0.1c I can see that the custom free
> routine is being invoked with a NULL argument after calling SSL_free
> and this results in the proxy crashing.
>
> #3  0x0828bd24 in CUSTOM_FREE (oldMem=0x0) at custom_mem.c:340
> #4  0xb75342b4 in CRYPTO_free () from
> /home/product/code/firmware/current/lib/openssl1.0/lib/libcrypto.so.1.0.0
> #5  0x00000000 in ?? ()
>
> This happens every time the SSL connections is torn down. If I don't
> use CRYPTO_set_mem_functions it works fine. I am assuming the default
> free routine ignores a NULL argument. Is it an expectation from the
> custom free routine to also ignore NULL? I can provide more
> information if needed. Can someone help me debug this problem.
Agreed on non-NULL pointers.

Perhaps I'm looking at the wrong free function (or I'm not
reading/deducing correct behavior), but it looks like a double free to
me:

void CRYPTO_free(void *str)
{
    if (free_debug_func != NULL)
        free_debug_func(str, 0);
#ifdef LEVITTE_DEBUG
    fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
#endif
    free_func(str);
    if (free_debug_func != NULL)
        free_debug_func(NULL, 1);
}

Regarding parameter validation, below is a perfect example since free
(from above) does not appear to include a size. Are implementations
verifying `num` is not less than 0 since it is defined as an integer?
Its clear the OpenSSL code is not verifying its parameters. What's not
clear to me is why one can even specify a negative size.

void *CRYPTO_malloc(int num, const char *file, int line)
{
    void *ret = NULL;

    allow_customize = 0;
    if (malloc_debug_func != NULL)
    {
        allow_customize_debug = 0;
        malloc_debug_func(NULL, num, file, line, 0);
    }
    ret = malloc_func(num);
#ifdef LEVITTE_DEBUG
    fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
#endif
    if (malloc_debug_func != NULL)
        malloc_debug_func(ret, num, file, line, 1);

    return ret;
}
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to