One of my regression tests crashes when using OpenSSL 3.2.0. I've
tracked it down to:
commit e4a94bcc77f3fda0f185e62a73a66d9b9b9388f5
Fix a possible memory leak in dane_tlsa_add
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5314e1ec0d..70d3b17c19 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -339,6 +341,7 @@ static int dane_tlsa_add(SSL_DANE *dane,
if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
X509_free(cert);
+ tlsa_free(t);
break;
}
Now the question is: is this a bug in my application or in 3.2.0?
Maybe someone who knows/understands the code can take a look?
BTW: All the other added tlsa_free() calls are seemingly before
a return statement.
PS: I've added some debug output (see below) and got this:
tlsa_add: t=0xaef90a7c800, data=0xaef208b7380, t->data=0xaef9e86b800
tlsa_add: t=0xaef90a7c800, DANETLS_USAGE_BIT=free
tlsa_free: t=0xaef90a7c800, t->data=0xaef9e86b800, t->spki=0x0
tlsa_add: t=0xaef90a7c800, t->data=0xdfdfdfdfdfdfdfdf, t->spki=0xdfdfdfdfdfdfdfdf
tlsa_free: t=0xaef90a7c800, t->data=0xaef90a6d3c0, t->spki=0xdfdfdfdfdfdfdfdf
--- /tmp/ssl_lib.c Sat Nov 25 14:28:00 2023
+++ ssl/ssl_lib.c.dbg Sat Nov 25 14:14:59 2023
@@ -155,6 +155,7 @@
{
if (t == NULL)
return;
+fprintf(stderr, "tlsa_free: t=%p, t->data=%p, t->spki=%p\n", t, t->data, t->spki);
OPENSSL_free(t->data);
EVP_PKEY_free(t->spki);
OPENSSL_free(t);
@@ -162,6 +163,7 @@
static void dane_final(SSL_DANE *dane)
{
+fprintf(stderr, "dane_final: t=%p\n", dane->trecs);
sk_danetls_record_pop_free(dane->trecs, tlsa_free);
dane->trecs = NULL;
@@ -310,6 +312,7 @@
t->selector = selector;
t->mtype = mtype;
t->data = OPENSSL_malloc(dlen);
+fprintf(stderr, "tlsa_add: t=%p, data=%p, t->data=%p\n", t, data, t->data);
if (t->data == NULL) {
tlsa_free(t);
return -1;
@@ -328,6 +331,7 @@
if (!d2i_X509(&cert, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
X509_free(cert);
+fprintf(stderr, "tlsa_add: t=%p, DANETLS_SELECTOR_CERT=free\n", t);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
return 0;
@@ -341,7 +345,10 @@
if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
X509_free(cert);
+fprintf(stderr, "tlsa_add: t=%p, DANETLS_USAGE_BIT=free\n", t);
+/*
tlsa_free(t);
+*/
break;
}
@@ -357,6 +364,7 @@
!sk_X509_push(dane->certs, cert)) {
ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
X509_free(cert);
+fprintf(stderr, "tlsa_add: t=%p, error1=free\n", t);
tlsa_free(t);
return -1;
}
@@ -366,6 +374,7 @@
if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
EVP_PKEY_free(pkey);
+fprintf(stderr, "tlsa_add: t=%p, DANETLS_SELECTOR_SPKI=free\n", t);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
return 0;
@@ -383,6 +392,7 @@
break;
}
}
+fprintf(stderr, "tlsa_add: t=%p, t->data=%p, t->spki=%p\n", t, t->data, t->spki);
/*-
* Find the right insertion point for the new record.
