https://issues.apache.org/bugzilla/show_bug.cgi?id=54357
--- Comment #33 from Alex Bligh <[email protected]> --- (In reply to Kaspar Brand from comment #32) > (In reply to Alex Bligh from comment #31) > > Ah yes. Your v7 is still leaking it on server restart. > > On restart? How exactly? I don't follow yet, but perhaps I'm missing the > obvious. Kaspar, Here's what I think will happen. When ssl_stapling_init_cert is run, it does: cid = OCSP_cert_to_id(NULL, x, issuer); Your new patch (v7) implies that this actually allocates something that needs to be deallocated (as opposed to merely returning a pointer to an existing object). I didn't realise that (because the old code was never freeing cid under any circumstances). This is presumably why you have inserted: OCSP_CERTID_free(cid); if aia is NULL and there is no stapling URL. But if this is true, we have an issue when the server is restarted as follows: If the stapling info is correct, then the cinf struct will have a reference to the allocated OSCP_CERTID (cid), and this will be inserted into the hash table. This is used later on stapling callbacks. But when the server apr pool is freed (on a restart), it will free the hash table of cinf entries and the cinf entries themselves, but cinf->cid will not be freed (i.e. OCSP_CERTID_free() will not be called), because it is not allocated in an apr pool and we haven't registered a cleanup handler for it. Therefore, when the restart occurs, the hash table will be entry and it will call OCSP_cert_to_id again for each certificate, allocating another OSCP_CERTID structure (and anything beneath that). As far as I can tell, this will be leaked on each restart. I think: apr_pool_cleanup_register(p, cid, OCSP_CERTID_free, apr_pool_cleanup_null); or similar somewhere around the hash_set will fix this. Alex -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
