On 13/08/2021 17:31, Bala Duvvuri via openssl-users wrote:
Hi All,
We are using OpenSSl version 1.1.1d in our program and crash is being seen in "OPENSSL_sk_pop_free" API, we invoke this API in our certificate verification API. Since crash is not seen always, trying to understand from OpenSSL code, when can this occur?
My first suspicion would be a double-free, i.e. calling a free routine
on data that has already been freed. You might like to compile OpenSSL
and your application with asan (use the enable-asan compile time
Configure option for OpenSSL) and see if anything shows up.
Matt
Below is the bt of the crash
#0 0x0f31f438 in OPENSSL_sk_pop_free (st=0x1041de20, func=0xf34d5b0 <X509_free>) at crypto/stack/stack.c:367
i = 0
#1 0x0f344c74 in sk_X509_pop_free (freefunc=<optimized out>, sk=<optimized out>) at include/openssl/x509.h:99
No locals.
#2 X509_STORE_CTX_cleanup (ctx=ctx@entry=0x1041ba70) at crypto/x509/x509_vfy.c:2454
No locals.
#3 0x0f344cf4 in X509_STORE_CTX_free (ctx=ctx@entry=0x1041ba70) at crypto/x509/x509_vfy.c:2281
No locals
....
Below is the OpenSSL API
360 void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func)
361 {
362 int i;
363
364 if (st == NULL)
365 return;
366 for (i = 0; i < st->num; i++)
367 if (st->data[i] != NULL)---------------------> Crash seen here
368 func((char *)st->data[i]);
369 OPENSSL_sk_free(st);
370 }
Can someone please help to understand under what conditions this can happen?
We use the below API's during certificate verification:
X509_STORE_new()
X509_STORE_CTX_new()
X509_STORE_set_verify_cb_func
X509_STORE_set_default_paths
X509_STORE_load_locations
X509_STORE_CTX_init
X509_STORE_CTX_set_flags
X509_verify_cert
/* Cleanup. */
FREE_X509_STORE_CTX(pContext);
Thanks
Bala
