I suspect that there may be a bug in ssl/bio_ssl.c (OpenSSL 0.9.7j - and
earlier versions).
In a BIO_CTRL_PUSH, the next_bio->references is incremented.
In a BIO_CTRL_POP, the next_bio->references is also incremented.
Shouldn't it be decremented.
To worked around it I am using a BIO_free_all() instead of a BIO_pop(),
which is probably the recommened way, but I thought I should report the
possibility of a bug that could lead to memory leaks (in my case I was
leaking the BIO's under my SSL's).
static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
{
...
case BIO_CTRL_PUSH:
if ((b->next_bio != NULL) && (b->next_bio != ssl->rbio))
{
SSL_set_bio(ssl,b->next_bio,b->next_bio);
CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
}
break;
case BIO_CTRL_POP:
/* ugly bit of a hack */
if (ssl->rbio != ssl->wbio) /* we are in trouble :-( */
{
BIO_free_all(ssl->wbio);
}
if (b->next_bio != NULL)
{
<<
CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
>>
CRYPTO_add(&b->next_bio->references,-1,CRYPTO_LOCK_BIO);
}
ssl->wbio=NULL;
ssl->rbio=NULL;
break;
...
}
Regards,
Tom Maher
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
