Fix use-after-free in BIO_C_SET_SSL callback

Since the BIO_SSL structure was renewed by `ssl_free(b)/ssl_new(b)`, the `bs` pointer needs to be updated before assigning to `bs->ssl`. Thanks to @suishixingkong for reporting the issue and providing a fix. Closes #10539 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11746)
2025-04-27 10:14:36 +00:00 · 2020-05-06 17:24:13 +02:00 · 2020-05-06 17:24:13 +02:00 · 73d6b4efe6
commit 73d6b4efe6
parent 90fc2c26df
1 changed files with 1 additions and 0 deletions
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@ -284,6 +284,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
            ssl_free(b);
            if (!ssl_new(b))
                return 0;
+            bs = BIO_get_data(b);
        }
        BIO_set_shutdown(b, num);
        ssl = (SSL *)ptr;