From 75018951ece71668b56ce688740a62f9d4db9277 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 13 Mar 2010 00:23:06 -0500 Subject: [PATCH] Fix a possible double-free bug in SSL bufferevents with CLOSE_ON_FREE With CLOSE_ON_FREE set, we were telling the BIO to free the bufferevent when it was closed, and also freeing it ourselves. --- bufferevent_openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bufferevent_openssl.c b/bufferevent_openssl.c index a5aee02d..86e674b9 100644 --- a/bufferevent_openssl.c +++ b/bufferevent_openssl.c @@ -1207,7 +1207,9 @@ bufferevent_openssl_filter_new(struct event_base *base, enum bufferevent_ssl_state state, int options) { - int close_flag = options & BEV_OPT_CLOSE_ON_FREE; + /* We don't tell the BIO to close the bufferevent; we do it ourselves + * on be_openssl_destruct */ + int close_flag = 0; /* options & BEV_OPT_CLOSE_ON_FREE; */ BIO *bio; if (!underlying) return NULL;