SSL internals: fix memory corruption using QSslConfigurationPrivate

We are passing a QSslConfigurationPrivate that is allocated on the stack
(in QSslSocketBackendPrivate::initSslContext()) to
QSslConfiguration::QSslConfiguration(QSslConfigurationPrivate *dd).
When the SSL context is destroyed, this object is not there any more.
So now we create a deep copy of the configuration like we do in
QSslSocket::sslConfiguration().

Task-number: QTBUG-30648
Change-Id: Iaefaa9c00fd6bfb707eba5ac59e9508bf951f8a5
Reviewed-by: Richard J. Moore <rich@kde.org>

1 files changed, 6 insertions, 2 deletions

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 2b9c4b5bd2..3b2de7a05b 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -325,9 +325,13 @@ bool QSslSocketBackendPrivate::initSslContext()
     Q_Q(QSslSocket);
 
     // If no external context was set (e.g. bei QHttpNetworkConnection) we will create a default context
-    if (!sslContextPointer)
+    if (!sslContextPointer) {
+        // create a deep copy of our configuration
+        QSslConfigurationPrivate *configurationCopy = new QSslConfigurationPrivate(configuration);
+        configurationCopy->ref.store(0);              // the QSslConfiguration constructor refs up
         sslContextPointer = QSharedPointer<QSslContext>(
-                    QSslContext::fromConfiguration(mode, QSslConfiguration(&configuration), allowRootCertOnDemandLoading));
+                    QSslContext::fromConfiguration(mode, configurationCopy, allowRootCertOnDemandLoading));
+    }
 
     if (sslContextPointer->error() != QSslError::NoError) {
         q->setErrorString(sslContextPointer->errorString());