Le 27/05/2015 à 18:33, wr...@apache.org a écrit :
Author: wrowe
Date: Wed May 27 16:33:10 2015
New Revision: 1682074

URL: http://svn.apache.org/r1682074
Log:
mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
EC_KEY_free, otherwise eckey will not be freed.

Backports: r1666363
Author: jkaluza
Reviewed by: rjung, ylavic, wrowe


Modified:
     httpd/httpd/branches/2.4.x/   (props changed)
     httpd/httpd/branches/2.4.x/STATUS
     httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1682074&r1=1682073&r2=1682074&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed May 27 16:33:10 2015
@@ -105,13 +105,6 @@ RELEASE SHOWSTOPPERS:
  PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
    [ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
-     SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
-     EC_KEY_free, otherwise eckey will not be freed.
-     trunk patch: http://svn.apache.org/r1666363
-     2.4.x patch: 
http://people.apache.org/~rjung/patches/httpd-2.4.x-free-eckey.patch
-     +1: rjung, ylavic, wrowe
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
    [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1682074&r1=1682073&r2=1682074&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Wed May 27 
16:33:10 2015
@@ -960,7 +960,7 @@ static apr_status_t ssl_init_server_cert
  #ifdef HAVE_ECC
      EC_GROUP *ecparams;
      int nid;
-    EC_KEY *eckey;
+    EC_KEY *eckey = NULL;
  #endif
  #ifndef HAVE_SSL_CONF_CMD
      SSL *ssl;
@@ -1133,6 +1133,7 @@ static apr_status_t ssl_init_server_cert
                               EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
  #endif
      }
+    EC_KEY_free(eckey);
  #endif
return APR_SUCCESS;




Hi,

This backport looks incomplete.

In the original patch (r1666363) we have:
@@ -1151,10 +1151,11 @@
 #if defined(SSL_CTX_set_ecdh_auto)
         SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
 #else
-        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
- EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+        eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
which is not in the backported code. (neither in the .patch file, nor in the backport itself)

Was it intentional or should the missing part be also backported?
My feeling is that it should be merged.

CJ

Reply via email to