In SSL_new, s->references is set to 1 AFTER ssl_new successfully completes. If it errors out, SSL_free() is called which decrements it but since it was never set to 1, it will cause a crash if REF_CHECK is defined since i will be less than zero. There are also a few other "goto err" cases in SSL_new before the s->references is set to 1.
SSL_new Code: if (!s->method->ssl_new(s)) goto err; s->references=1; Error handling: err: if (s != NULL) SSL_free(s); SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); return(NULL); SSL_Free code: if(s == NULL) return; i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); #ifdef REF_PRINT REF_PRINT("SSL",s); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr,"SSL_free, bad reference count\n"); abort(); /* ok */ } #endif Thanks Narendra Meka Cisco Systems _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev