- Johan van Selst found and fixed a OpenSSL session ref count leak:

ossl_connect_step3() increments an SSL session handle reference counter on each call. When sessions are re-used this reference counter may be incremented many times, but it will be decremented only once when done (by Curl_ossl_session_free()); and the internal OpenSSL data will not be freed if this reference count remains positive. When a session is re-used the reference counter should be corrected by explicitly calling SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid introducing a memory leak. (http://curl.haxx.se/bug/view.cgi?id=2926284)
2010-01-08 23:45:23 +00:00 · 2010-01-08 23:45:23 +00:00 · 552c3de357
parent aa2f447400
commit 552c3de357
3 changed files with 27 additions and 3 deletions
--- a/14
+++ b/14
@ -6,6 +6,20 @@

                                  Changelog

+Daniel Stenberg (9 Jan 2010)
+- Johan van Selst found and fixed a OpenSSL session ref count leak:
+
+  ossl_connect_step3() increments an SSL session handle reference counter on
+  each call. When sessions are re-used this reference counter may be
+  incremented many times, but it will be decremented only once when done (by
+  Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
+  if this reference count remains positive. When a session is re-used the
+  reference counter should be corrected by explicitly calling
+  SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
+  introducing a memory leak.
+
+  (http://curl.haxx.se/bug/view.cgi?id=2926284)
+
 Daniel Stenberg (7 Jan 2010)
 - Make sure the progress callback is called repeatedly even during very slow
  name resolves when c-ares is used for resolving.
--- a/4
+++ b/4
@ -42,6 +42,7 @@ This release includes the following bugfixes:
 o header include fix for FreeBSD versions before v8
 o fragment part of URLs are no longer sent to the server
 o progress callback called repeatedly with c-ares for resolving
+ o OpenSSL session id ref count leak

 This release includes the following known bugs:

@ -54,6 +55,7 @@ advice from friends like these:
 Marco Maggi, Camille Moncelier, Claes Jakobsson, Kevin Baughman,
 Marc Kleine-Budde, Jad Chamcham, Bjorn Augustsson, David Byron,
 Markus Koetter, Chad Monroe, Martin Storsjo, Siegfried Gyuricsko,
- Jon Nelson, Julien Chaffraix, Renato Botelho, Peter Pentchev, Ingmar Runge
+ Jon Nelson, Julien Chaffraix, Renato Botelho, Peter Pentchev, Ingmar Runge,
+ Johan van Selst

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -2315,7 +2315,15 @@ ossl_connect_step3(struct connectdata *conn,
      return retcode;
    }
  }
-
+#ifdef HAVE_SSL_GET1_SESSION
+  else {
+    /* Session was incache, so refcount already incremented earlier.
+     * Avoid further increments with each SSL_get1_session() call.
+     * This does not free the session as refcount remains > 0
+     */
+    SSL_SESSION_free(our_ssl_sessionid);
+  }
+#endif

  /*
   * We check certificates to authenticate the server; otherwise we risk