[stunnel-users] Possible use-after-free in stunnel 4.52

David Shaw dshaw at JABBERWOCKY.COM
Wed Feb 1 00:59:06 CET 2012


Hello,

I am using stunnel 4.52 in client mode with exec and connect.  The client program that stunnel execs periodically exits, and is properly re-started by stunnel, as I have "retry = yes" set.  However, after a retry, I occasionally get a segfault inside one of the OpenSSL libraries.  It does not happen right away, but once it happens, every retry causes the same segfault.

I did some debugging and it seems that what is happening during a retry is that the SSL connection is brought down in client_run(), then is freed via SSL_free(c->ssl).  However, it seems that c->ssl is used after this free, for example in connect_local(), which calls SSL_get_peer_certificate(c->ssl).  When exec, connect, and retry are all set, client_main() will call connect_local() after client_run() exits.

This patch seems to resolve the issue:

--- client.c.orig	2012-01-11 10:43:33.000000000 -0500
+++ client.c	2012-01-31 18:02:19.155213010 -0500
@@ -162,6 +162,7 @@
     if(c->ssl) { /* SSL initialized */
         SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
         SSL_free(c->ssl);
+        c->ssl=NULL;
         ERR_remove_state(0);
     }

For completeness, here's my stunnel.conf:

client = yes
sslVersion = SSLv3
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
foreground=yes

[experiment]
connect = x.x.x.x:443
exec = testprog
retry = yes

David




More information about the stunnel-users mailing list