Le 27/05/2015 à 18:33, wr...@apache.org a écrit :
Author: wrowe
Date: Wed May 27 16:33:10 2015
New Revision: 1682074
URL: http://svn.apache.org/r1682074
Log:
mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
EC_KEY_free, otherwise eckey will not be freed.
Backports: r1666363
Author: jkaluza
Reviewed by: rjung, ylavic, wrowe
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/branches/2.4.x/STATUS
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1682074&r1=1682073&r2=1682074&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed May 27 16:33:10 2015
@@ -105,13 +105,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
- SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
- EC_KEY_free, otherwise eckey will not be freed.
- trunk patch: http://svn.apache.org/r1666363
- 2.4.x patch:
http://people.apache.org/~rjung/patches/httpd-2.4.x-free-eckey.patch
- +1: rjung, ylavic, wrowe
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1682074&r1=1682073&r2=1682074&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Wed May 27
16:33:10 2015
@@ -960,7 +960,7 @@ static apr_status_t ssl_init_server_cert
#ifdef HAVE_ECC
EC_GROUP *ecparams;
int nid;
- EC_KEY *eckey;
+ EC_KEY *eckey = NULL;
#endif
#ifndef HAVE_SSL_CONF_CMD
SSL *ssl;
@@ -1133,6 +1133,7 @@ static apr_status_t ssl_init_server_cert
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
#endif
}
+ EC_KEY_free(eckey);
#endif
return APR_SUCCESS;
Hi,
This backport looks incomplete.
In the original patch (r1666363) we have:
@@ -1151,10 +1151,11 @@
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
#else
- SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
-
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+ eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
which is not in the backported code. (neither in the .patch file, nor in
the backport itself)
Was it intentional or should the missing part be also backported?
My feeling is that it should be merged.
CJ