From: yangxuqing <43904538+RigelYoung@users.noreply.github.com> Date: Sat, 23 May 2026 02:06:41 +0000 (+0800) Subject: providers: Nullify BIO pointer after free to prevent double free X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=82befaf246e948475cdaf14bf3a04565ac5d3625;p=thirdparty%2Fopenssl.git providers: Nullify BIO pointer after free to prevent double free In providers/implementations/storemgmt/file_store_any2obj.c, if the control flow reaches the err label after BIO_free(in) is called, a double free will occur in the generic cleanup block. Currently, the only path to this specific err jump is if BUF_MEM_grow(mem, len) fails. As noted by the OpenSSL Security Team, this failure is currently impossible because the buffer is being shrunk (max_len >= len). However, as requested by the security team via email, this commit explicitly nullifies the in pointer after the first free to future-proof the function and prevent a double free in case the semantics of BUF_MEM_grow() or the surrounding logic change in the future. Fixes: 1b0f21f0555c "Implementing store support for EVP_SKEY" CLA: trivial Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz Reviewed-by: Eugene Syromiatnikov MergeDate: Tue May 26 10:14:50 2026 (Merged from https://github.com/openssl/openssl/pull/31275) --- diff --git a/providers/implementations/storemgmt/file_store_any2obj.c b/providers/implementations/storemgmt/file_store_any2obj.c index 002560465ab..2592ab04abf 100644 --- a/providers/implementations/storemgmt/file_store_any2obj.c +++ b/providers/implementations/storemgmt/file_store_any2obj.c @@ -336,6 +336,7 @@ static int raw2obj_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, } BIO_free(in); + in = NULL; if (BUF_MEM_grow(mem, len) != len) { ERR_raise(ERR_LIB_PEM, ERR_R_BUF_LIB);