Re: Bug fix: leak of peer certificate

[Zvi Har'El]

On Sat, 26 Oct 2002 00:03:44 +0200, Nadav Har'El wrote about "Bug fix: leak of peer 
certificate":
> There is a memory leak in mod_ssl-2.8.11-1.3.27 when client-authentication
> is used. The peer certificates are leaked - as much as 3-4K per request.
> 
> I am enclosing a description of the memory leak, and a suggested patch to
> mod_ssl-2.8.11-1.3.27 to fix it. I'd appreciate if it (or some variant of
> the same idea) will be applied to mod_ssl.
> I haven't yet looked whether the same leak exists in Apache 2 and whether it
> should be fixed there too.
> 
> Thanks to Zvi Har'El for researching and fixing this bug with me.

[snip]

> diff -ur mod_ssl-2.8.11-1.3.27-dist/pkg.sslmod/ssl_engine_kernel.c 
>mod_ssl-2.8.11-1.3.27/pkg.sslmod/ssl_engine_kernel.c
> --- mod_ssl-2.8.11-1.3.27-dist/pkg.sslmod/ssl_engine_kernel.c 2002-10-04 
>16:30:37.000000000 +0300
> +++ mod_ssl-2.8.11-1.3.27/pkg.sslmod/ssl_engine_kernel.c      2002-10-25 
>17:33:14.000000000 +0200

[snip]

> @@ -865,11 +866,12 @@
>                  /* optimization */
>                  if (   dc->nOptions & SSL_OPT_OPTRENEGOTIATE
>                      && nVerifyOld == SSL_VERIFY_NONE
> -                    && SSL_get_peer_certificate(ssl) != NULL)
> +                    && (cert = SSL_get_peer_certificate(ssl)) != NULL)
>                      renegotiate_quick = TRUE;
>                  ssl_log(r->server, SSL_LOG_TRACE,
>                          "Changed client verification type will force 
>%srenegotiation",
>                          renegotiate_quick ? "quick " : "");
> +                        X509_free(cert);
>               }
>          }
>      }

I apologize, to err is human, and the last chunk should be a little different :
The X509_free(cert) command should be executed only if the "if" succeeds, i.e., 

                 /* optimization */
                 if (   dc->nOptions & SSL_OPT_OPTRENEGOTIATE
                     && nVerifyOld == SSL_VERIFY_NONE
-                    && SSL_get_peer_certificate(ssl) != NULL)
+                    && (cert = SSL_get_peer_certificate(ssl)) != NULL) {
                     renegotiate_quick = TRUE;
+                        X509_free(cert);
+                }
                 ssl_log(r->server, SSL_LOG_TRACE,
                         "Changed client verification type will force %srenegotiation",
                         renegotiate_quick ? "quick " : "");
              }
         }
     }
-- 
Dr. Zvi Har'El     mailto:rl@;math.technion.ac.il     Department of Mathematics
tel:+972-54-227607                   Technion - Israel Institute of Technology
fax:+972-4-8324654 http://www.math.technion.ac.il/~rl/     Haifa 32000, ISRAEL
"If you can't say somethin' nice, don't say nothin' at all." -- Thumper (1942)
                            Tuesday, 23 Heshvan 5763, 29 October 2002,  5:20PM
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]