[PATCH] Fix double-free crash in X509Cert

[GoogleCodeExporter]

When using libdigidoc-python bindings on 32-bit Ubuntu 10.10 machines, I 
frequently saw crashes when opening PEM certificates (even after a clean 
install). Strangely enough this didn't happen on 64-bit machines.

Here's an example stack trace from the crash
#0  0x00000000 in ?? ()
#1  0x00236194 in BIO_free () from /lib/libcrypto.so.0.9.8
#2  0x0076741b in ~BIO_scope (this=0x8349ec0, pem=...) at 
/home/marti/libdigidocpp/src/crypto/cert/../../crypto/OpenSSLHelpers.h:43
#3  digidoc::X509Cert::X509Cert (this=0x8349ec0, pem=...) at 
/home/marti/libdigidocpp/src/crypto/cert/X509Cert.cpp:101
#4  0x004a74e6 in _wrap_new_X509Cert__SWIG_1 (self=0x0, args=0xb7cc186c) at 
/home/marti/libdigidocpp/obj-i686-linux-gnu/src/digidocPYTHON_wrap.cxx:9349
#5  _wrap_new_X509Cert (self=0x0, args=0xb7cc186c) at 
/home/marti/libdigidocpp/obj-i686-linux-gnu/src/digidocPYTHON_wrap.cxx:9386
#6  0x080de31b in PyEval_EvalFrameEx ()
#7  0x080dfbb2 in PyEval_EvalCodeEx ()
...

Looking at OpenSSLHelpers.h and X509Cert.cpp, I determined that the BIO buffer 
was being free'd twice in the X509Cert constructor:

    BIO *mem = BIO_new_mem_buf((void *)pem.c_str(), -1);
    BIO_scope memScope(&mem);
    // X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
    PEM_read_bio_X509(mem, &cert, 0, NULL);
    BIO_free(mem);

It sets up a scoped pointer for the BIO*mem, but frees it directly via 
BIO_free, without setting it to NULL. After it goes out of scope, ~BIO_scope 
would attempt to free the invalid pointer again.

A simple test case that crashes 100% reliably in my environment, is attached. 
The patch to address this bug is also attached.

Original issue reported on code.google.com by ma...@juffo.org on 11 Apr 2011 at 3:37

Attachments:

• x509_double_free_fix.patch
• x509_crash_test.py

[GoogleCodeExporter]

Committed in svn r3786, thanks!

Original comment by kalevlember@gmail.com on 21 Apr 2011 at 9:55

• Changed state: Fixed