Commit 933d1085 authored by Kurt Roeckx's avatar Kurt Roeckx
Browse files

Avoid using a dangling pointer when removing the last item 



When it's the last item that is removed int_thread_hash == hash and we would
still call int_thread_release(&hash) while hash is already freed.  So
int_thread_release would compare that dangling pointer to NULL which is
undefined behaviour.  Instead do already what int_thread_release() would do,
and make the call do nothing instead.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>

RT: #4155, MR: #1519
parent c849c6d9

crypto/err/err.c

+2 −0
Original line number Diff line number Diff line
@@ -399,8 +399,10 @@ static void int_thread_del_item(const ERR_STATE *d) 
        if (int_thread_hash_references == 1

            && int_thread_hash

            && lh_ERR_STATE_num_items(int_thread_hash) == 0) {

            int_thread_hash_references = 0;

            lh_ERR_STATE_free(int_thread_hash);

            int_thread_hash = NULL;

            hash = NULL;

        }

    }

    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);