Description of problem: /* get a clone of a BIGNUM with changed flags, for *temporary* use only * (the two BIGNUMs cannot not be used in parallel!) */ #define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \ (dest)->top=(b)->top, \ (dest)->dmax=(b)->dmax, \ (dest)->neg=(b)->neg, \ (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \ | ((b)->flags & ~BN_FLG_MALLOCED) \ | BN_FLG_STATIC_DATA \ | (n))) BN_with_flags is then called with dest being uninitialized variable. I didn't read enough of the code to say conclusively is double free() possible with current codebase but I'd remove that "((dest)->flags & BN_FLG_MALLOCED) |" from BN_with_flags to be sure and reduce false alarms from static analyzers. It also uses BN_FLG_STATIC_DATA , well sure,.. openssl is so obvious 😕 Version-Release number of selected component (if applicable): 1.0.1k-12 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: rt.openssl.org said: RT Error Queue could not be loaded.
Or current users of BN_with_flags could initialize flags before calling it so API stays future-compatible.
(In reply to Sami Farin from comment #1) > Or current users of BN_with_flags could initialize flags before calling it > so API stays future-compatible. This is the proper fix. Please report it upstream via mailing to rt
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.