From 835e720c7e47e3e5ea70875bf26b0b71d6729b57 Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Wed, 17 Apr 2013 17:42:32 +0200 Subject: SSL internals: fix memory corruption using QSslConfigurationPrivate We are passing a QSslConfigurationPrivate that is allocated on the stack (in QSslSocketBackendPrivate::initSslContext()) to QSslConfiguration::QSslConfiguration(QSslConfigurationPrivate *dd). When the SSL context is destroyed, this object is not there any more. So now we create a deep copy of the configuration like we do in QSslSocket::sslConfiguration(). Task-number: QTBUG-30648 Change-Id: Iaefaa9c00fd6bfb707eba5ac59e9508bf951f8a5 Reviewed-by: Richard J. Moore --- src/network/ssl/qsslsocket_openssl.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/network/ssl') diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 2b9c4b5bd2..3b2de7a05b 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -325,9 +325,13 @@ bool QSslSocketBackendPrivate::initSslContext() Q_Q(QSslSocket); // If no external context was set (e.g. bei QHttpNetworkConnection) we will create a default context - if (!sslContextPointer) + if (!sslContextPointer) { + // create a deep copy of our configuration + QSslConfigurationPrivate *configurationCopy = new QSslConfigurationPrivate(configuration); + configurationCopy->ref.store(0); // the QSslConfiguration constructor refs up sslContextPointer = QSharedPointer( - QSslContext::fromConfiguration(mode, QSslConfiguration(&configuration), allowRootCertOnDemandLoading)); + QSslContext::fromConfiguration(mode, configurationCopy, allowRootCertOnDemandLoading)); + } if (sslContextPointer->error() != QSslError::NoError) { q->setErrorString(sslContextPointer->errorString()); -- cgit v1.2.3