[Bug 64264] New: Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64264] New: Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

            Bug ID: 64264
           Summary: Potential memory leak: forget to free the return value
                    of OpenSSL API 'SSL_get_peer_certificate'
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

This issue is caused by OpenSSL API 'SSL_get_peer_certificate' in
modules/ssl/ssl_engine_vars.c:107:
   x = SSL_get_peer_certificate(sslconn->ssl);

According to OpenSSL API document:
"SSL_get_peer_certificate() returns a pointer to the X509 certificate the peer
presented.
The X509 object must be explicitly freed using X509_free()."

So 'x' should be freed by 'X509_free(x)' to avoid a memory leak.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

Joe Orton <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
                 OS|                            |All

--- Comment #1 from Joe Orton <[hidden email]> ---
Nice catch, do you have some tool to check for this or manual review?

Fixed in r1875647.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

--- Comment #2 from [hidden email] ---
Thank you for your quick reply. We are working on an automatic tool to do that
work, and we will release it later.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64264] Potential memory leak: forget to free the return value of OpenSSL API 'SSL_get_peer_certificate'

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64264

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #3 from [hidden email] ---
We found another similar bug in support/ab.c:728, please check it.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]