Commit 70fa179635 for openssl.org
commit 70fa179635fb3daf2e1b1e0d2888f1f8bf79ff16
Author: Neil Horman <nhorman@openssl.org>
Date: Thu Jun 25 17:42:05 2026 -0400
eliminate use of CRYPTO_GET_REF in sslapitest
CRYPTO_GET_REF is almost by definition a TOCTOU race, and we shouldn't
use it.
As part of the effort to deprecate it, eliminate its use from
sslapitest.
Avoid the use-after-free possibility by getting a session with
SSL_get1_session (which increments the refcount) and freeing it after
we're done with it.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Sat Jul 4 16:47:10 2026
(Merged from https://github.com/openssl/openssl/pull/31750)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 91a2181b61..c5517016c5 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -10601,7 +10601,8 @@ static int test_session_cache_overflow(int idx)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
SSL_SESSION *sess = NULL;
- int references;
+
+ get_sess_val = NULL;
#ifdef OSSL_NO_USABLE_TLS1_3
/* If no TLSv1.3 available then do nothing in this case */
@@ -10672,18 +10673,9 @@ static int test_session_cache_overflow(int idx)
* The session we just negotiated may have been already removed from the
* internal cache - but we will return it anyway from our external cache.
*/
- get_sess_val = SSL_get_session(serverssl);
+ get_sess_val = SSL_get1_session(serverssl);
if (!TEST_ptr(get_sess_val))
goto end;
- /*
- * Normally the session is also stored in the cache, thus we have more than
- * one reference, but due to an out-of-memory error it can happen that this
- * is the only reference, and in that case the SSL_free(serverssl) below
- * would free the get_sess_val, causing a use-after-free error.
- */
- if (!TEST_true(CRYPTO_GET_REF(&get_sess_val->references, &references))
- || !TEST_int_ge(references, 2))
- goto end;
sess = SSL_get1_session(clientssl);
if (!TEST_ptr(sess))
goto end;
@@ -10707,6 +10699,8 @@ static int test_session_cache_overflow(int idx)
testresult = 1;
end:
+ SSL_SESSION_free(get_sess_val);
+ get_sess_val = NULL;
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);