You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/03/25 10:12:56 UTC

[Bug 64264] New: Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

            Bug ID: 64264
           Summary: Potential memory leak: forget to free the return value
                    of OpenSSL API 'SSL_get_peer_certificate'
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: summerlinasity@gmail.com
  Target Milestone: ---

This issue is caused by OpenSSL API 'SSL_get_peer_certificate' in
modules/ssl/ssl_engine_vars.c:107:
   x = SSL_get_peer_certificate(sslconn->ssl);

According to OpenSSL API document:
"SSL_get_peer_certificate() returns a pointer to the X509 certificate the peer
presented.
The X509 object must be explicitly freed using X509_free()."

So 'x' should be freed by 'X509_free(x)' to avoid a memory leak.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
                 OS|                            |All

--- Comment #1 from Joe Orton <jo...@redhat.com> ---
Nice catch, do you have some tool to check for this or manual review?

Fixed in r1875647.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

summerlinasity@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #3 from summerlinasity@gmail.com ---
We found another similar bug in support/ab.c:728, please check it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Joe Orton <jo...@redhat.com> ---
Thanks again, fixed that one in r1910847.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

--- Comment #2 from summerlinasity@gmail.com ---
Thank you for your quick reply. We are working on an automatic tool to do that
work, and we will release it later.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org