I am using OpenSSL 1.1.1k Version, From that I see following are done in OpenSSL code, pls correct me if I am wrong.
Inside SSL_new:
SSL *SSL_new(SSL_CTX *ctx)
{
SSL *s;
.......
.......
s = OPENSSL_zalloc(sizeof(*s));
....
....
SSL_CTX_up_ref(ctx);
s->ctx = ctx; /* ctx value to s->ctx , also gets freed when called SLL_free(s) ==> SSL_CTX_free(s->ctx)*/
....
....
SSL_CTX_up_ref(ctx);
s->session_ctx = ctx; /* same value is getting assigned here also */
.....
return s;
}
Inside SSL_free:
void SSL_free(SSL *s)
{
if ( s == NULL)
return;
X509_VERIFY_PARAM_free(s->param);
.....
.....
SSL_CTX_free( s->session_ctx); /* this holds the value of ctx that was passed t
o SSL_new(), yes or no? */
.....
.....
SSL_CTX_free( s->ctx); /* this again trying to free the same pointer , abnormal behavior */
}
Point here is inside SSL_CTX_free(), after freeing "s->session_ctx" , we are not setting "s->session_ctx" to NULL(this may be optional, its ok if we don't use the same pointer again), but "s->session_ctx" and "s->ctx" both have same value. So applying "free()" on same value again ( through SSL_CTX_free( s->ctx); ) will result in abnormal behavior, correct or not?
I could not understand how OpenSSL free() ing pointers if they are assigned to multiple different variables.
Note: tried going through "SSL_CTX_up_ref(ctx);" , and "SSL_CTX_down_ref(ctx);", looks like they are tracking the pointer usage count by other APIs, but could not understand what exactly they are doing...when count is 0.
Could someone please elaborate a bit ..
Chand..
