From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Thu, 26 Feb 2026 21:48:29 +0000 (+0100) Subject: [3.11] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843... X-Git-Tag: v3.11.15~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15c1d6a549f5eac56d819d9c324b85a36417970c;p=thirdparty%2FPython%2Fcpython.git [3.11] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843) (#144861) Co-authored-by: Ramin Farajpour Cami --- diff --git a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst new file mode 100644 index 000000000000..6d5b18f59ee7 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst @@ -0,0 +1,3 @@ +Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in +``newPySSLSocket()``. The error was reported via a dangling pointer after the +object had already been freed. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 09207abde145..6275d94d644c 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -844,8 +844,8 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, self->ssl = SSL_new(ctx); PySSL_END_ALLOW_THREADS if (self->ssl == NULL) { + _setSSLError(get_state_ctx(sslctx), NULL, 0, __FILE__, __LINE__); Py_DECREF(self); - _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */