Attribute lookup on SSLSession object created through public constructor causes SIGSEGV · Issue #94101 · python/cpython (original) (raw)

Example:

>>> import ssl
>>> s = ssl.SSLSession()
>>> s.id
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73b8949 in SSL_SESSION_get_id () from /usr/lib/libssl.so.1.1

Environment:
CPython version tested on: 3.10.3, 3.12.0a0.
SSL version: 1.1.1n.
Linux, 5.16.9-arch1-1, x86_64.

The possible fix is to disallow instantiation for SSLSession type. Access to session property of SSLSocket objects works through PySSL_get_session (which does all necessary checks) and attributes of SSLSession objects are read-only so I think it shouldn't break anything.