Skip to content

handshake: free libctx after the SSL_CTXs to fix use-after-free#92

Closed
npajkovsky wants to merge 2 commits into
openssl:mainfrom
npajkovsky:handhsake-uaf
Closed

handshake: free libctx after the SSL_CTXs to fix use-after-free#92
npajkovsky wants to merge 2 commits into
openssl:mainfrom
npajkovsky:handhsake-uaf

Conversation

@npajkovsky

Copy link
Copy Markdown

The SSL_CTX objects (sctx and cctx) are created from the per-pool OSSL_LIB_CTX and hold references back into it. Freeing the library context first left SSL_CTX_free() operating on a freed libctx.

Reorder free_ctx_pool() so the SSL_CTXs are torn down first and the OSSL_LIB_CTX is freed last, matching their creation dependency.

Assisted-by: Claude:claude-sonnet-4-6

@npajkovsky npajkovsky self-assigned this Jun 29, 2026
@npajkovsky npajkovsky requested review from bob-beck and jogme June 29, 2026 09:23
The SSL_CTX objects (sctx and cctx) are created from the per-pool
OSSL_LIB_CTX and hold references back into it. Freeing the library
context first left SSL_CTX_free() operating on a freed libctx.

Reorder free_ctx_pool() so the SSL_CTXs are torn down first and the
OSSL_LIB_CTX is freed last, matching their creation dependency.

Fixes: openssl#91
Assisted-by: Claude:claude-sonnet-4-8
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>

@Sashan Sashan left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me.

@npajkovsky npajkovsky moved this to Waiting Review in Development Board Jun 29, 2026
@github-project-automation github-project-automation Bot moved this from Waiting Review to Waiting Merge in Development Board Jun 29, 2026
@esyr esyr added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Jul 1, 2026
@esyr

esyr commented Jul 1, 2026

Copy link
Copy Markdown
Member

Fixes: 5e1a24cbee59 "handshake: test SSL_CTX pool"

The same issue is present in init_ctx_pool(), but it is triggered only on the error path.

esyr pushed a commit that referenced this pull request Jul 1, 2026
The SSL_CTX objects (sctx and cctx) are created from the per-pool
OSSL_LIB_CTX and hold references back into it. Freeing the library
context first left SSL_CTX_free() operating on a freed libctx.

Reorder free_ctx_pool() so the SSL_CTXs are torn down first and the
OSSL_LIB_CTX is freed last, matching their creation dependency.

Resolves: #91
Fixes: 5e1a24c "handshake: test SSL_CTX pool"
Assisted-by: Claude:claude-sonnet-4-8
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Jul  1 15:32:40 2026
(Merged from #92)
esyr pushed a commit that referenced this pull request Jul 1, 2026
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Jul  1 15:32:42 2026
(Merged from #92)
@esyr

esyr commented Jul 1, 2026

Copy link
Copy Markdown
Member

Applied to main, thank you.

@esyr esyr closed this Jul 1, 2026
@github-project-automation github-project-automation Bot moved this from Waiting Merge to Done in Development Board Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

handshake -l crashes on Windows against OpenSSL master: free_ctx_pool() frees OSSL_LIB_CTX before the SSL_CTX

5 participants