Ensure SSL_get_app_data() continues to work even in SSL_free()

During SSL_free() we may get a QUIC TLS callback being called to clean up any remaining record data. We should ensure that SSL_get_app_data() continues to work, even in this scenario. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091)
2025-03-18 12:10:59 +00:00 · 2025-03-18 12:10:59 +00:00 · 2100cf2ee0
commit 2100cf2ee0
parent 4ad45969b0
1 changed files with 9 additions and 8 deletions
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -1428,11 +1428,10 @@ void SSL_free(SSL *s)
        return;
    REF_ASSERT_ISNT(i < 0);

-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-
    if (s->method != NULL)
        s->method->ssl_free(s);

+    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
    SSL_CTX_free(s->ctx);
    CRYPTO_THREAD_lock_free(s->lock);
    CRYPTO_FREE_REF(&s->references);
@ -1448,15 +1447,17 @@ void ossl_ssl_connection_free(SSL *ssl)
    if (s == NULL)
        return;

+    /*
+     * Ignore return values. This could result in user callbacks being called
+     * e.g. for the QUIC TLS record layer. So we do this early before we have
+     * freed other things.
+     */
+    ssl_free_wbio_buffer(s);
+    RECORD_LAYER_clear(&s->rlayer);
+
    X509_VERIFY_PARAM_free(s->param);
    dane_final(&s->dane);

-    /* Ignore return value */
-    ssl_free_wbio_buffer(s);
-
-    /* Ignore return value */
-    RECORD_LAYER_clear(&s->rlayer);
-
    BUF_MEM_free(s->init_buf);

    /* add extra stuff */