You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/03/25 10:12:56 UTC
[Bug 64264] New: Potential memory leak: forget to free the return
value of OpenSSL API 'SSL_get_peer_certificate'
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264
Bug ID: 64264
Summary: Potential memory leak: forget to free the return value
of OpenSSL API 'SSL_get_peer_certificate'
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: summerlinasity@gmail.com
Target Milestone: ---
This issue is caused by OpenSSL API 'SSL_get_peer_certificate' in
modules/ssl/ssl_engine_vars.c:107:
x = SSL_get_peer_certificate(sslconn->ssl);
According to OpenSSL API document:
"SSL_get_peer_certificate() returns a pointer to the X509 certificate the peer
presented.
The X509 object must be explicitly freed using X509_free()."
So 'x' should be freed by 'X509_free(x)' to avoid a memory leak.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64264] Potential memory leak: forget to free the return value
of OpenSSL API 'SSL_get_peer_certificate'
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
OS| |All
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
Nice catch, do you have some tool to check for this or manual review?
Fixed in r1875647.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64264] Potential memory leak: forget to free the return value
of OpenSSL API 'SSL_get_peer_certificate'
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264
summerlinasity@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #3 from summerlinasity@gmail.com ---
We found another similar bug in support/ab.c:728, please check it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Joe Orton <jo...@redhat.com> ---
Thanks again, fixed that one in r1910847.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64264] Potential memory leak: forget to free the return value
of OpenSSL API 'SSL_get_peer_certificate'
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264
--- Comment #2 from summerlinasity@gmail.com ---
Thank you for your quick reply. We are working on an automatic tool to do that
work, and we will release it later.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org