Skip to content

Possible double *free() in ns_interface_listentls()

There is a call to the isc_tlsctx_free(&sslctx); inside the body of the ns_interface_listentls(). I think, that this could potentially lead to a double *free()ing of the memory allocated by OpenSSL, because sslctx gets destroyed during the listenlist destruction.

static isc_result_t
ns_interface_listentls(ns_interface_t *ifp, isc_tlsctx_t *sslctx) {
    isc_result_t result;

    result = isc_nm_listentlsdns(
        ifp->mgr->nm, (isc_nmiface_t *)&ifp->addr, ns__client_request,
        ifp, ns__client_tcpconn, ifp, sizeof(ns_client_t),
        ifp->mgr->backlog, &ifp->mgr->sctx->tcpquota, sslctx,
        &ifp->tcplistensocket);

    if (result != ISC_R_SUCCESS) {
        isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
                  "creating TLS socket: %s",
                  isc_result_totext(result));
        isc_tlsctx_free(&sslctx);
        return (result);
    }

    /*
     * We call this now to update the tcp-highwater statistic:
     * this is necessary because we are adding to the TCP quota just
     * by listening.
     */
    result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp);
    if (result != ISC_R_SUCCESS) {
        isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
                  "updating TCP stats: %s",
                  isc_result_totext(result));
    }

    return (result);
}
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information