Avoid using a dangling pointer when removing the last item
authorKurt Roeckx <kurt@roeckx.be>
Tue, 22 Dec 2015 12:11:59 +0000 (13:11 +0100)
committerKurt Roeckx <kurt@roeckx.be>
Wed, 23 Dec 2015 19:36:32 +0000 (20:36 +0100)
When it's the last item that is removed int_thread_hash == hash and we would
still call int_thread_release(&hash) while hash is already freed.  So
int_thread_release would compare that dangling pointer to NULL which is
undefined behaviour.  Instead do already what int_thread_release() would do,
and make the call do nothing instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
RT: #4155, MR: #1519

crypto/err/err.c

index e487e98..9f81768 100644 (file)
@@ -399,8 +399,10 @@ static void int_thread_del_item(const ERR_STATE *d)
         if (int_thread_hash_references == 1
             && int_thread_hash
             && lh_ERR_STATE_num_items(int_thread_hash) == 0) {
         if (int_thread_hash_references == 1
             && int_thread_hash
             && lh_ERR_STATE_num_items(int_thread_hash) == 0) {
+            int_thread_hash_references = 0;
             lh_ERR_STATE_free(int_thread_hash);
             int_thread_hash = NULL;
             lh_ERR_STATE_free(int_thread_hash);
             int_thread_hash = NULL;
+            hash = NULL;
         }
     }
     CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
         }
     }
     CRYPTO_w_unlock(CRYPTO_LOCK_ERR);