Now that was a useful pointer, thanks a bunch! We have had this leak ever since the subjectAltName support was added in 2005 (fetchmail 6.2.9)... it strikes whenever we manage to extract these fields from a certificate while verifying it.
This bug only hurts in daemon mode, because the leak accumulates only then. Can either of the reporters see and report back if the attached patch improves the situation for you?
From 7ffec45913adc02a5c5f6a2cfe95a41d42ae535c Mon Sep 17 00:00:00 2001 From: Matthias Andree <matthias.and...@gmx.de> Date: Thu, 13 Dec 2012 23:44:37 +0100 Subject: [PATCH] Plug a memory leak in OpenSSL's certificate verification callback. This would affect fetchmail configurations running with SSL in daemon mode more than one-shot runs. Reported by Erik Thiele, and pinned by Dominik, Debian Bug #688015. This bug was introduced into fetchmail 6.2.9 (committed 2005-10-29) when support for subjectAltName was added through a patch by Roland Stigge, submitted as Debian Bug#201113. --- socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/socket.c b/socket.c index 634b476..3e4a3ac 100644 --- a/socket.c +++ b/socket.c @@ -689,7 +689,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) } } } - sk_GENERAL_NAME_free(gens); + GENERAL_NAMES_free(gens); } if (name_match(p1, p2)) { matched = 1; -- 1.7.9.5
signature.asc
Description: OpenPGP digital signature