From: Otto Moerbeek <otto@drijf.net>
Subject: Re: [PATCH] libressl: Fix a reference counting bug
To: Solar Flare <soflare@gmail.com>
Cc: tech@openbsd.org
Date: Thu, 28 May 2026 08:32:45 +0200

On Thu, May 28, 2026 at 02:04:52PM +0800, Solar Flare wrote:

> Hi,
> 
> This bug causes double free of the ssl->rbio object. A sample code to
> reproduce the issue:
> 
> #include <openssl/ssl.h>
> int main() {
>     SSL* s = SSL_new(SSL_CTX_new(TLS_client_method()));
>     SSL_set_fd(s, 1);
>     SSL_set_bio(s, SSL_get_rbio(s), NULL);
>     SSL_free(s); /* segfault here */
>     return 0;
> }
> 
> ---------------------------------------------------------------------------
> diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
> index 8cce44603..64988f8b0 100644
> --- a/src/lib/libssl/ssl_lib.c
> +++ b/src/lib/libssl/ssl_lib.c
> @@ -620,7 +620,7 @@ SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
> 
>         if (s->rbio != rbio && s->rbio != s->wbio)
>                 BIO_free_all(s->rbio);
> -       if (s->wbio != wbio)
> +       if (s->wbio != wbio && s->rbio != s->wbio)
>                 BIO_free_all(s->wbio);
>         s->rbio = rbio;
>         s->wbio = wbio;
> 

This leaks if s->rbio == s->wbio, in that case a sinlgle call to
BIO_free_all() shoud be done. One way to achieve that is to set s->rbio
to NULL in the first if block.

	-Otto