Download raw body.
[PATCH] libressl: Fix a reference counting bug
Hi,
This bug causes double free of the ssl->rbio object. A sample code to
reproduce the issue:
#include <openssl/ssl.h>
int main() {
SSL* s = SSL_new(SSL_CTX_new(TLS_client_method()));
SSL_set_fd(s, 1);
SSL_set_bio(s, SSL_get_rbio(s), NULL);
SSL_free(s); /* segfault here */
return 0;
}
---------------------------------------------------------------------------
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 8cce44603..64988f8b0 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -620,7 +620,7 @@ SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
if (s->rbio != rbio && s->rbio != s->wbio)
BIO_free_all(s->rbio);
- if (s->wbio != wbio)
+ if (s->wbio != wbio && s->rbio != s->wbio)
BIO_free_all(s->wbio);
s->rbio = rbio;
s->wbio = wbio;
[PATCH] libressl: Fix a reference counting bug