TLS connections fails with OpenSSL 3.2

Description:

With openssl 3.2.0-1, a double free occurs for a TLS connection

psql: error: connection to server at "db.chyen.cc" (::1), port 5432 failed: FATAL:  no PostgreSQL user name specified in startup packet
free(): invalid pointer
Aborted

With openssl 3.1.4-1, I got a correct error message (my server requires mTLS, so the error message is expected)

psql: error: connection to server at "db.chyen.cc" (::1), port 5432 failed: FATAL:  connection requires a valid client certificate

Additional info:

• openssl 3.2.0-1
• postgresql-libs 16.1-2

Rebuilding postgresql-libs against openssl 3.2 does not help.

I guess this is probably an upstream issue in openssl or postgresql, but I haven't had time to dive deeper.

Here is the gdb log:

gdb log

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff7cb78a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7c67668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7c4f4b8 in __GI_abort () at abort.c:79
#4  0x00007ffff7c50390 in __libc_message (fmt=fmt@entry=0x7ffff7dc755d "%s\n") at ../sysdeps/posix/libc_fatal.c:150
#5  0x00007ffff7cc17b7 in malloc_printerr (str=str@entry=0x7ffff7dc502b "free(): invalid pointer") at malloc.c:5765
#6  0x00007ffff7cc3a74 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=have_lock@entry=0) at malloc.c:4500
#7  0x00007ffff7cc6353 in __GI___libc_free (mem=<optimized out>) at malloc.c:3391
#8  0x00007ffff7f5cac4 in freePGconn (conn=0x55555561b970) at /usr/src/debug/postgresql/postgresql-16.1/src/interfaces/libpq/fe-connect.c:4413
#9  0x00007ffff7f6058b in PQfinish (conn=<optimized out>) at /usr/src/debug/postgresql/postgresql-16.1/src/interfaces/libpq/fe-connect.c:4604
#10 0x000055555556e66a in main (argc=<optimized out>, argv=0x7fffffffd4c8) at /usr/src/debug/postgresql/postgresql-16.1/src/bin/psql/startup.c:305

In valgrind, there are many detections like this:

excerpted valgrind log

==26569== Invalid read of size 8
==26569==    at 0x4881ABB: freePGconn (fe-connect.c:4413)
==26569==    by 0x122669: main (startup.c:305)
==26569==  Address 0x5499230 is 0 bytes inside a block of size 1,192 free'd
==26569==    at 0x484488F: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26569==    by 0x4DB360E: sock_free (bss_sock.c:111)
==26569==    by 0x4DB132E: BIO_free (bio_lib.c:141)
==26569==    by 0x4DB13BC: BIO_free_all (bio_lib.c:858)
==26569==    by 0x4C29B16: UnknownInlinedFun (ssl_lib.c:1503)
==26569==    by 0x4C29B16: ossl_ssl_connection_free (ssl_lib.c:1415)
==26569==    by 0x4C28C45: SSL_free (ssl_lib.c:1406)
==26569==    by 0x489A547: pgtls_close (fe-secure-openssl.c:1638)
==26569==    by 0x4880B95: UnknownInlinedFun (fe-secure.c:192)
==26569==    by 0x4880B95: pqDropConnection (fe-connect.c:472)
==26569==    by 0x4885451: closePGconn (fe-connect.c:4581)
==26569==    by 0x4885581: UnknownInlinedFun (fe-connect.c:4603)
==26569==    by 0x4885581: PQfinish (fe-connect.c:4599)
==26569==    by 0x122669: main (startup.c:305)
==26569==  Block was alloc'd at
==26569==    at 0x4848953: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26569==    by 0x48820D9: makeEmptyPGconn (fe-connect.c:4313)
==26569==    by 0x4888792: PQconnectStartParams (fe-connect.c:792)
==26569==    by 0x4888DBA: PQconnectdbParams (fe-connect.c:682)
==26569==    by 0x121F4C: main (startup.c:272)
==26569==

If I set ask gdb to break at sock_free, the free'd pointer is the same as the one allocated by by makeEmptyPGconn. Sounds like something wrong in memory management.

Steps to reproduce:

1. Configure a PostgreSQL server that accepts TLS connections
2. psql "host=db.chyen.cc port=5432 sslmode=verify-full sslrootcert=/etc/ssl/cert.pem"