Hi Willy, Roberto, Emeric, On 06/30/2016 08:12 PM, Willy Tarreau wrote: > I checked the man page for SSL_CTX_set_tmp_dh() and it does not mention > anything regarding the need to free the param or not. And the example > that comes with it doesn't involve a call to DH_free().
It's a mess, I recall having the same issue with a previous version of the DH code. > Thus for now I'd rather leave valgrind unhappy until someone finds what > exactly needs to be done to make it happy and not cause this issue. I've attached what I think is the right fix, simply checking if local_dh_2014 is NULL before calling ssl_get_dh_1024(), thus only generating it at most one time. It's then freed in __ssl_sock_deinit() so valgrind should be happy. Best regards, Remi
From cd90e8cca7ac9156e769d4580448cf89f45cd929 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne-git...@coredump.fr>
Date: Sat, 2 Jul 2016 16:26:10 +0200
Subject: [PATCH] BUG/MINOR: ssl: fix potential memory leak in
ssl_sock_load_dh_params()
Roberto Guimaraes reported that Valgrind complains about a leak
in ssl_get_dh_1024().
This is caused caused by an oversight in ssl_sock_load_dh_params(),
where local_dh_1024 is always replaced by a new DH object even if
it already holds one. This patch simply checks whether local_dh_1024
is NULL before calling ssl_get_dh_1024().
---
src/ssl_sock.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f247618..e5a6f0a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1638,7 +1638,9 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
if (global.tune.ssl_default_dh_param <= 1024) {
/* we are limited to DH parameter of 1024 bits anyway */
- local_dh_1024 = ssl_get_dh_1024();
+ if (local_dh_1024 == NULL)
+ local_dh_1024 = ssl_get_dh_1024();
+
if (local_dh_1024 == NULL)
goto end;
--
2.9.0
signature.asc
Description: OpenPGP digital signature
