]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 04cf7eb) | patch
providers: Nullify BIO pointer after free to prevent double free
authoryangxuqing <43904538+RigelYoung@users.noreply.github.com>
Sat, 23 May 2026 02:06:41 +0000 (10:06 +0800)
committerEugene Syromiatnikov <esyr@openssl.org>
Tue, 26 May 2026 10:14:29 +0000 (12:14 +0200)
commit82befaf246e948475cdaf14bf3a04565ac5d3625
tree0cd37aadde4c25de68bfe2e6dfb78495ac0ff3c8tree | snapshot
parent04cf7eb7b96cc37d05263d78bd2c0726b0c840e4commit | diff
providers: Nullify BIO pointer after free to prevent double free

In providers/implementations/storemgmt/file_store_any2obj.c, if the
control flow reaches the err label after BIO_free(in) is called, a
double free will occur in the generic cleanup block.

Currently, the only path to this specific err jump is if
BUF_MEM_grow(mem, len) fails. As noted by the OpenSSL Security Team,
this failure is currently impossible because the buffer is being
shrunk (max_len >= len).

However, as requested by the security team via email, this commit
explicitly nullifies the in pointer after the first free to
future-proof the function and prevent a double free in case the
semantics of BUF_MEM_grow() or the surrounding logic change in
the future.

Fixes: 1b0f21f0555c "Implementing store support for EVP_SKEY"
CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 10:14:50 2026
(Merged from https://github.com/openssl/openssl/pull/31275)
providers/implementations/storemgmt/file_store_any2obj.c diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git