Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Unreachable code in Modules/_ssl.c #106831

New issue
New issue
Closed
Closed
Unreachable code in Modules/_ssl.c#106831
Assignees
sobolevn
Labels
topic-SSLtype-bugAn unexpected behavior, bug, or error
@sobolevn

Description

@sobolevn
sobolevn
opened on Jul 17, 2023

Looks like code in this check cannot ever be reached:

cpython/Modules/_ssl.c

Lines 2824 to 2827 in 2b94a05

newsession = d2i_SSL_SESSION(NULL, &const_p, slen);
if (session == NULL) {
goto error;
}

At this point session cannot be NULL, because it is checked right above:

cpython/Modules/_ssl.c

Lines 2803 to 2806 in 2b94a05

if (session == NULL) {
PyErr_SetString(PyExc_ValueError, "Invalid session");
goto error;
}

I guess that it was intended to check newsession variable instead.

Docs say: https://www.openssl.org/docs/man1.0.2/man3/d2i_SSL_SESSION.html

d2i_SSL_SESSION() returns a pointer to the newly allocated SSL_SESSION object. In case of failure the NULL-pointer is returned and the error message can be retrieved from the error stack.

One more thing that bothers me here is that error is not set. We just return NULL which can theoretically crash the interpeter.

So, my plan is to:

  1. Check newsession instead
  2. Add a ValueError there

Originally introduced in 99a6570

PR is on its way.

Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE.

Author A. Voronin.

Linked PRs

Metadata

Metadata

Assignees

Labels

topic-SSLtype-bugAn unexpected behavior, bug, or error

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions