Avoid using a dangling pointer when removing the last item

When it's the last item that is removed int_thread_hash == hash and we would still call int_thread_release(&hash) while hash is already freed. So int_thread_release would compare that dangling pointer to NULL which is undefined behaviour. Instead do already what int_thread_release() would do, and make the call do nothing instead. Reviewed-by: Rich Salz <rsalz@openssl.org> RT: #4155, MR: #1519
author: Kurt Roeckx <kurt@roeckx.be> 2015-12-22 13:11:59 +0100
committer: Kurt Roeckx <kurt@roeckx.be> 2015-12-23 20:36:32 +0100
commit: 933d10851640014142db0f3b02c2b740c2f0935f (patch)
tree: e941e1b9491b76ac36b02063a11210b8a72eabb7 /crypto/err
parent: c849c6d9d3bf806fecfe0c16eaa55d361979ff7f (diff)
download: openssl-933d10851640014142db0f3b02c2b740c2f0935f.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/err/err.c b/crypto/err/err.c
index e487e980cb..9f81768ecc 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -399,8 +399,10 @@ static void int_thread_del_item(const ERR_STATE *d)
         if (int_thread_hash_references == 1
             && int_thread_hash
             && lh_ERR_STATE_num_items(int_thread_hash) == 0) {
+            int_thread_hash_references = 0;
             lh_ERR_STATE_free(int_thread_hash);
             int_thread_hash = NULL;
+            hash = NULL;
         }
     }
     CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
author	Kurt Roeckx <kurt@roeckx.be>	2015-12-22 13:11:59 +0100
committer	Kurt Roeckx <kurt@roeckx.be>	2015-12-23 20:36:32 +0100
commit	933d10851640014142db0f3b02c2b740c2f0935f (patch)
tree	e941e1b9491b76ac36b02063a11210b8a72eabb7 /crypto/err
parent	c849c6d9d3bf806fecfe0c16eaa55d361979ff7f (diff)
download	openssl-933d10851640014142db0f3b02c2b740c2f0935f.tar.gz