From: Solar Flare <soflare@gmail.com>
Subject: [PATCH] libressl: Fix a reference counting bug
To: tech@openbsd.org
Date: Thu, 28 May 2026 14:04:52 +0800

Hi,

This bug causes double free of the ssl->rbio object. A sample code to
reproduce the issue:

#include <openssl/ssl.h>
int main() {
    SSL* s = SSL_new(SSL_CTX_new(TLS_client_method()));
    SSL_set_fd(s, 1);
    SSL_set_bio(s, SSL_get_rbio(s), NULL);
    SSL_free(s); /* segfault here */
    return 0;
}

---------------------------------------------------------------------------
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 8cce44603..64988f8b0 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -620,7 +620,7 @@ SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)

        if (s->rbio != rbio && s->rbio != s->wbio)
                BIO_free_all(s->rbio);
-       if (s->wbio != wbio)
+       if (s->wbio != wbio && s->rbio != s->wbio)
                BIO_free_all(s->wbio);
        s->rbio = rbio;
        s->wbio = wbio;