(tomcat) branch 10.1.x updated: Fix some minor memory leaks on certificate load

Tue, 07 Apr 2026 09:37:40 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 4a36d21c3b Fix some minor memory leaks on certificate load
4a36d21c3b is described below

commit 4a36d21c3bf499dd7620ac2298d5e9b26c307650
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Apr 7 17:35:19 2026 +0100

    Fix some minor memory leaks on certificate load
    
    Identified by a GitHub CoPilot review
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 3 +++
 webapps/docs/changelog.xml                                         | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 934d1e5f74..097ed9b84f 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -1076,8 +1076,10 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 }
                 if (SSL_CTX_use_certificate(state.sslCtx, cert) <= 0) {
                     logLastError("openssl.errorLoadingCertificate");
+                    X509_free(cert);
                     return false;
                 }
+                X509_free(cert);
                 if (SSL_CTX_use_PrivateKey(state.sslCtx, key) <= 0) {
                     logLastError("openssl.errorLoadingPrivateKey");
                     return false;
@@ -1179,6 +1181,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                             if (SSL_CTX_add0_chain_cert(state.sslCtx, 
certChainEntry) <= 0) {
                                 
log.error(sm.getString("openssl.errorLoadingCertificateWithError",
                                         certificate.getCertificateChainFile(), 
OpenSSLLibrary.getLastError()));
+                                X509_free(certChainEntry);
                             }
                             certChainEntry = 
PEM_read_bio_X509_AUX(certificateChainBIO, MemorySegment.NULL,
                                     MemorySegment.NULL, MemorySegment.NULL);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 88ba657458..508667ba7e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -143,6 +143,10 @@
         Consistently reject URIs containing <code>NULL</code> bytes when
         normalizing. (markt)
       </fix>
+      <fix>
+        Fix a few minor memory leaks on error paths reading TLS keys and
+        certificates when using FFM. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to