[Python-checkins] [3.12] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843) (#144860)

Mon, 23 Feb 2026 06:51:05 -0800 

https://github.com/python/cpython/commit/9fc477cd1da0813709d021dc960be1aa3aa1e670
commit: 9fc477cd1da0813709d021dc960be1aa3aa1e670
branch: 3.12
author: Miss Islington (bot) <[email protected]>
committer: Yhg1s <[email protected]>
date: 2026-02-23T15:50:38+01:00
summary:

[3.12] gh-144833: Fix use-after-free in SSL module when SSL_new() fails 
(GH-144843) (#144860)

gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843)

In newPySSLSocket(), when SSL_new() returns NULL, Py_DECREF(self)
was called before _setSSLError(get_state_ctx(self), ...), causing
a use-after-free. Additionally, get_state_ctx() was called with
self (PySSLSocket*) instead of sslctx (PySSLContext*), which is
a type confusion bug.

Fix by calling _setSSLError() before Py_DECREF() and using
sslctx instead of self for get_state_ctx().
(cherry picked from commit c91638ca0671b8038831f963ed44e66cdda006a2)

Co-authored-by: Ramin Farajpour Cami <[email protected]>

files:
A Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst
M Modules/_ssl.c

diff --git 
a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst 
b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst
new file mode 100644
index 00000000000000..6d5b18f59ee7ea
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst
@@ -0,0 +1,3 @@
+Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in
+``newPySSLSocket()``. The error was reported via a dangling pointer after the
+object had already been freed.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 0b8cf0b6df3ca5..aae4dc323dd646 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -838,8 +838,8 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject 
*sock,
     self->ssl = SSL_new(ctx);
     PySSL_END_ALLOW_THREADS
     if (self->ssl == NULL) {
+        _setSSLError(get_state_ctx(sslctx), NULL, 0, __FILE__, __LINE__);
         Py_DECREF(self);
-        _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
     /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */

_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]

Reply via email to