From 13f0581a852a648af194a94aa034fae71e3f8a63 Mon Sep 17 00:00:00 2001 From: Ramin Farajpour Cami Date: Mon, 16 Feb 2026 06:13:07 +0330 Subject: [PATCH] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843) In newPySSLSocket(), when SSL_new() returns NULL, Py_DECREF(self) was called before _setSSLError(get_state_ctx(self), ...), causing a use-after-free. Additionally, get_state_ctx() was called with self (PySSLSocket*) instead of sslctx (PySSLContext*), which is a type confusion bug. Fix by calling _setSSLError() before Py_DECREF() and using sslctx instead of self for get_state_ctx(). (cherry picked from commit c91638ca0671b8038831f963ed44e66cdda006a2) Co-authored-by: Ramin Farajpour Cami --- .../Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst | 3 +++ Modules/_ssl.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst diff --git a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst new file mode 100644 index 00000000000000..6d5b18f59ee7ea --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst @@ -0,0 +1,3 @@ +Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in +``newPySSLSocket()``. The error was reported via a dangling pointer after the +object had already been freed. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 0b8cf0b6df3ca5..aae4dc323dd646 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -838,8 +838,8 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, self->ssl = SSL_new(ctx); PySSL_END_ALLOW_THREADS if (self->ssl == NULL) { + _setSSLError(get_state_ctx(sslctx), NULL, 0, __FILE__, __LINE__); Py_DECREF(self); - _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__); return NULL; } /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */