pythongh-144833: Fix use-after-free in SSL module when SSL_new() fails (pythonGH-144843)

raminfp · miss-islington · commit 0d83a6ff5df2 · 2026-02-16T02:43:52.000Z
In newPySSLSocket(), when SSL_new() returns NULL, Py_DECREF(self) was called before _setSSLError(get_state_ctx(self), ...), causing a use-after-free. Additionally, get_state_ctx() was called with self (PySSLSocket*) instead of sslctx (PySSLContext*), which is a type confusion bug. Fix by calling _setSSLError() before Py_DECREF() and using sslctx instead of self for get_state_ctx(). (cherry picked from commit c91638c) Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
diff --git a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst
@@ -0,0 +1,3 @@
+Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in
+``newPySSLSocket()``. The error was reported via a dangling pointer after the
+object had already been freed.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -846,8 +846,8 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
     self->ssl = SSL_new(ctx);
     PySSL_END_ALLOW_THREADS
     if (self->ssl == NULL) {
+        _setSSLError(get_state_ctx(sslctx), NULL, 0, __FILE__, __LINE__);
         Py_DECREF(self);
-        _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
     /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in
	`2`	+``newPySSLSocket()``. The error was reported via a dangling pointer after the
	`3`	`+object had already been freed.`