I came with a better patch actually it is not required to free compression methods on OpenSSL >= 1.0.0 so, let us only do that when it is really neccessary
сб, 25 мая 2019 г. в 14:59, Илья Шипицин <chipits...@gmail.com>: > hi, I see it it not yet applied. > it turned out that freeing breaks LibreSSL internals. > so, here's v2 (free only if not LibreSSL) > > > > сб, 25 мая 2019 г. в 10:46, Willy Tarreau <w...@1wt.eu>: > >> Hi Ilya, >> >> > From 61f04a8ecdcfc105f732d5978180ad2ab746cc34 Mon Sep 17 00:00:00 2001 >> > From: Ilya Shipitsin <chipits...@gmail.com> >> > Date: Sat, 25 May 2019 03:38:14 +0500 >> > Subject: [PATCH] BUG/MINOR: ssl_sock: Fix memory leak when disabling >> > compression >> > >> > according to manpage: >> > >> > sk_TYPE_zero() sets the number of elements in sk to zero. It >> does not free sk so after this call sk is still valid. >> > >> > so we need to free all elements >> >> Hey, good catch! I think this one has been there forever :-) >> >> Applied, thanks. >> Willy >> >
From bbd0892bbc09969eb420920832e5b8903eeae350 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <chipits...@gmail.com> Date: Sat, 25 May 2019 19:30:50 +0500 Subject: [PATCH] BUILD: fix latest LibreSSL reg-test error starting with OpenSSL 1.0.0 recommended way to disable compression is using SSL_OP_NO_COMPRESSION when creating context. manipulations with SSL_COMP_get_compression_methods, sk_SSL_COMP_num are only required for OpenSSL < 1.0.0 --- src/ssl_sock.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 4a0ad768..6f62375a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -9701,8 +9701,10 @@ static void ssl_sock_capture_free_func(void *parent, void *ptr, CRYPTO_EX_DATA * __attribute__((constructor)) static void __ssl_sock_init(void) { +#if (!defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION)) STACK_OF(SSL_COMP)* cm; int n; +#endif if (global_ssl.listen_default_ciphers) global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers); @@ -9719,11 +9721,13 @@ static void __ssl_sock_init(void) #if HA_OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); #endif +#if (!defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION)) cm = SSL_COMP_get_compression_methods(); n = sk_SSL_COMP_num(cm); while (n--) { (void) sk_SSL_COMP_pop(cm); } +#endif #if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) ssl_locking_init(); -- 2.20.1