From 1fd3e5745a4e6666ed8c91dd207693dbb482d578 Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" Date: Wed, 7 Jun 2017 23:09:43 -0700 Subject: [PATCH] Fix spurious DECREF in newPySSLSocket In newPySSLSocket, it sets up the new 'self' object, which among other things owns a reference to the parent SSLContext in 'self->ctx'. It then tries to idna-decode the given server_hostname, and if this fails it does Py_DECREF(self) and returns. The Py_DECREF(self) causes the PySSLSocket destructor to run, which calls Py_DECREF(self->ctx), which releases the reference to the parent SSLContext object. However... as currently written, we don't actually *take* the reference to the parent SSLContext until *after* the idna-decoding step. I.e., this does a Py_DECREF on an object that was never Py_INCREFed. Eventually we get a segfault. --- Modules/_ssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 68fd2dda25a563..c9057c8eeec7eb 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -599,6 +599,7 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, self->ssl = NULL; self->Socket = NULL; self->ctx = sslctx; + Py_INCREF(sslctx); self->shutdown_seen_zero = 0; self->handshake_done = 0; self->owner = NULL; @@ -613,8 +614,6 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, self->server_hostname = hostname; } - Py_INCREF(sslctx); - /* Make sure the SSL error state is initialized */ (void) ERR_get_state(); ERR_clear_error();