Download raw body.
[PATCH] libressl: Fix a reference counting bug
On Thu, May 28, 2026 at 02:04:52PM +0800, Solar Flare wrote:
> Hi,
>
> This bug causes double free of the ssl->rbio object. A sample code to
> reproduce the issue:
>
> #include <openssl/ssl.h>
> int main() {
> SSL* s = SSL_new(SSL_CTX_new(TLS_client_method()));
> SSL_set_fd(s, 1);
> SSL_set_bio(s, SSL_get_rbio(s), NULL);
> SSL_free(s); /* segfault here */
> return 0;
> }
>
> ---------------------------------------------------------------------------
> diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
> index 8cce44603..64988f8b0 100644
> --- a/src/lib/libssl/ssl_lib.c
> +++ b/src/lib/libssl/ssl_lib.c
> @@ -620,7 +620,7 @@ SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
>
> if (s->rbio != rbio && s->rbio != s->wbio)
> BIO_free_all(s->rbio);
> - if (s->wbio != wbio)
> + if (s->wbio != wbio && s->rbio != s->wbio)
> BIO_free_all(s->wbio);
> s->rbio = rbio;
> s->wbio = wbio;
>
This leaks if s->rbio == s->wbio, in that case a sinlgle call to
BIO_free_all() shoud be done. One way to achieve that is to set s->rbio
to NULL in the first if block.
-Otto
[PATCH] libressl: Fix a reference counting bug