[stunnel-users] Possible use-after-free in stunnel 4.52
David Shaw
dshaw at JABBERWOCKY.COM
Wed Feb 1 00:59:06 CET 2012
Hello,
I am using stunnel 4.52 in client mode with exec and connect. The client program that stunnel execs periodically exits, and is properly re-started by stunnel, as I have "retry = yes" set. However, after a retry, I occasionally get a segfault inside one of the OpenSSL libraries. It does not happen right away, but once it happens, every retry causes the same segfault.
I did some debugging and it seems that what is happening during a retry is that the SSL connection is brought down in client_run(), then is freed via SSL_free(c->ssl). However, it seems that c->ssl is used after this free, for example in connect_local(), which calls SSL_get_peer_certificate(c->ssl). When exec, connect, and retry are all set, client_main() will call connect_local() after client_run() exits.
This patch seems to resolve the issue:
--- client.c.orig 2012-01-11 10:43:33.000000000 -0500
+++ client.c 2012-01-31 18:02:19.155213010 -0500
@@ -162,6 +162,7 @@
if(c->ssl) { /* SSL initialized */
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_free(c->ssl);
+ c->ssl=NULL;
ERR_remove_state(0);
}
For completeness, here's my stunnel.conf:
client = yes
sslVersion = SSLv3
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
foreground=yes
[experiment]
connect = x.x.x.x:443
exec = testprog
retry = yes
David
More information about the stunnel-users
mailing list