httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 54357] Crash during restart or at startup in mod_ssl, in certinfo_free() function registered by ssl_stapling_ex_init()
Date Wed, 24 Sep 2014 18:11:14 GMT

--- Comment #33 from Alex Bligh <> ---
(In reply to Kaspar Brand from comment #32)
> (In reply to Alex Bligh from comment #31)
> > Ah yes. Your v7 is still leaking it on server restart.
> On restart? How exactly? I don't follow yet, but perhaps I'm missing the
> obvious.


Here's what I think will happen.

When ssl_stapling_init_cert is run, it does:
 cid = OCSP_cert_to_id(NULL, x, issuer);

Your new patch (v7) implies that this actually allocates something that needs
to be deallocated (as opposed to merely returning a pointer to an existing
object). I didn't realise that (because the old code was never freeing cid
under any circumstances). This is presumably why you have inserted:
if aia is NULL and there is no stapling URL.

But if this is true, we have an issue when the server is restarted as follows:

If the stapling info is correct, then the cinf struct will have a reference to
the allocated OSCP_CERTID (cid), and this will be inserted into the hash table.
This is used later on stapling callbacks.

But when the server apr pool is freed (on a restart), it will free the hash
table of cinf entries and the cinf entries themselves, but cinf->cid will not
be freed (i.e. OCSP_CERTID_free() will not be called), because it is not
allocated in an apr pool and we haven't registered a cleanup handler for it.

Therefore, when the restart occurs, the hash table will be entry and it will
call OCSP_cert_to_id again for each certificate, allocating another OSCP_CERTID
structure (and anything beneath that). As far as I can tell, this will be
leaked on each restart.

I think:
  apr_pool_cleanup_register(p, cid, OCSP_CERTID_free, apr_pool_cleanup_null);

or similar somewhere around the hash_set will fix this.


You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message