https://github.com/python/cpython/commit/15c1d6a549f5eac56d819d9c324b85a36417970c commit: 15c1d6a549f5eac56d819d9c324b85a36417970c branch: 3.11 author: Miss Islington (bot) <[email protected]> committer: pablogsal <[email protected]> date: 2026-02-26T21:48:29Z summary:
[3.11] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843) (#144861) Co-authored-by: Ramin Farajpour Cami <[email protected]> files: A Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst M Modules/_ssl.c diff --git a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst new file mode 100644 index 00000000000000..6d5b18f59ee7ea --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst @@ -0,0 +1,3 @@ +Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in +``newPySSLSocket()``. The error was reported via a dangling pointer after the +object had already been freed. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 09207abde14545..6275d94d644c64 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -844,8 +844,8 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, self->ssl = SSL_new(ctx); PySSL_END_ALLOW_THREADS if (self->ssl == NULL) { + _setSSLError(get_state_ctx(sslctx), NULL, 0, __FILE__, __LINE__); Py_DECREF(self); - _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */ _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
