From: polone at townnews dot com
Operating system: RedHat FC4
PHP version: 4.4.2
PHP Bug Type: OpenSSL related
Bug description: OpenSSL Memory Leaks
Description:
------------
The OpenSSL extension in PHP leaks memory. Using valgrind, I was able to
determine that there is a consistent leak of about 20K. There are two
leaks, one is the result of calling SSL_get_ex_new_index() during MINIT
which doesn't supply any mechanism for free_func (according to the
prototype). The other leak, which accounts for about 19K, is from loading
error strings but not calling the relevant free() function.
Another problem was noticed in network.c. There is a call to
SSL_CTX_new(), but no corresponding SSL_CTX_free() when the socket is
closed. Because the pointer for ctx is localized, the original pointer is
lost - using SSL_get_SSL_CTX() allows you to retrieve the context and free
it properly before call SSL_free() during socket close.
I've included a patch which corrects two of the issues:
diff -Naur php-4.4.2/ext/openssl/openssl.c
php-fixed/ext/openssl/openssl.c
--- php-4.4.2/ext/openssl/openssl.c 2006-01-01 07:46:55.000000000
-0600
+++ php-4.4.2/ext/openssl/openssl.c 2006-02-21 10:45:32.000000000
-0600
@@ -651,6 +651,7 @@
*/
PHP_MSHUTDOWN_FUNCTION(openssl)
{
+ ERR_free_strings();
EVP_cleanup();
return SUCCESS;
}
diff -Naur php-4.4.2/main/network.c php-fixed/main/network.c
--- php-4.4.2/main/network.c 2006-01-01 07:46:59.000000000 -0600
+++ php-4.4.2/main/network.c 2006-02-21 10:45:27.000000000 -0600
@@ -1091,11 +1091,14 @@
if (close_handle) {
#ifdef HAVE_OPENSSL_EXT
+
if (sock->ssl_active) {
SSL_shutdown(sock->ssl_handle);
sock->ssl_active = 0;
}
if (sock->ssl_handle) {
+ SSL_CTX *ctx = SSL_get_SSL_CTX(sock->ssl_handle);
+ SSL_CTX_free(ctx);
SSL_free(sock->ssl_handle);
sock->ssl_handle = NULL;
}
Reproduce code:
---------------
<?php
readfile("https://secure.townnews.com/";);
?>
Expected result:
----------------
No memory leaks.
Actual result:
--------------
==2610==
==2610== ERROR SUMMARY: 8076 errors from 411 contexts (suppressed: 0 from
0)
==2610== malloc/free: in use at exit: 25,224 bytes in 1,608 blocks.
==2610== malloc/free: 7,727 allocs, 6,119 frees, 555,906 bytes allocated.
==2610== For counts of detected errors, rerun with: -v
==2610== searching for pointers to 1,608 not-freed blocks.
==2610== checked 607,512 bytes.
==2610==
==2610==
==2610== 28 bytes in 1 blocks are possibly lost in loss record 1 of 6
==2610== at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610== by 0x441DED4: strdup (in /lib/libc-2.3.5.so)
==2610== by 0x8153FD5: (within /usr/bin/php)
==2610== by 0x8155BB5: php_module_startup (in /usr/bin/php)
==2610== by 0x819F4A9: main (in /usr/bin/php)
==2610==
==2610==
==2610== 1,220 (248 direct, 972 indirect) bytes in 1 blocks are definitely
lost in loss record 2 of 6
==2610== at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610== by 0x4221B69: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x4222110: CRYPTO_malloc (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x41DF1D9: SSL_CTX_new (in /lib/libssl.so.0.9.7f)
==2610== by 0x81668C3: php_stream_sock_ssl_activate_with_method (in
/usr/bin/php)
==2610== by 0x8119CDD: php_stream_url_wrap_http_ex (in /usr/bin/php)
==2610== by 0x811B51F: php_stream_url_wrap_http (in /usr/bin/php)
==2610== by 0x81656FB: _php_stream_open_wrapper_ex (in /usr/bin/php)
==2610== by 0x80E0FF0: zif_readfile (in /usr/bin/php)
==2610== by 0x8198E71: execute (in /usr/bin/php)
==2610== by 0x8186581: zend_execute_scripts (in /usr/bin/php)
==2610== by 0x8156BE1: php_execute_script (in /usr/bin/php)
==2610==
==2610==
==2610== 460 bytes in 12 blocks are indirectly lost in loss record 3 of 6
==2610== at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610== by 0x4221B69: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x4222110: CRYPTO_malloc (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x41E0172: ssl_cert_new (in /lib/libssl.so.0.9.7f)
==2610== by 0x41DF2D0: SSL_CTX_new (in /lib/libssl.so.0.9.7f)
==2610== by 0x81668C3: php_stream_sock_ssl_activate_with_method (in
/usr/bin/php)
==2610== by 0x8119CDD: php_stream_url_wrap_http_ex (in /usr/bin/php)
==2610== by 0x811B51F: php_stream_url_wrap_http (in /usr/bin/php)
==2610== by 0x81656FB: _php_stream_open_wrapper_ex (in /usr/bin/php)
==2610== by 0x80E0FF0: zif_readfile (in /usr/bin/php)
==2610== by 0x8198E71: execute (in /usr/bin/php)
==2610== by 0x8186581: zend_execute_scripts (in /usr/bin/php)
==2610==
==2610==
==2610== 512 bytes in 2 blocks are indirectly lost in loss record 4 of 6
==2610== at 0x40212ED: realloc (vg_replace_malloc.c:306)
==2610== by 0x4221B94: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x42221E3: CRYPTO_realloc (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x426C6AF: sk_insert (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x426C7B9: sk_push (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x41E2172: ssl_create_cipher_list (in
/lib/libssl.so.0.9.7f)
==2610== by 0x41DF348: SSL_CTX_new (in /lib/libssl.so.0.9.7f)
==2610== by 0x81668C3: php_stream_sock_ssl_activate_with_method (in
/usr/bin/php)
==2610== by 0x8119CDD: php_stream_url_wrap_http_ex (in /usr/bin/php)
==2610== by 0x811B51F: php_stream_url_wrap_http (in /usr/bin/php)
==2610== by 0x81656FB: _php_stream_open_wrapper_ex (in /usr/bin/php)
==2610== by 0x80E0FF0: zif_readfile (in /usr/bin/php)
==2610==
==2610==
==2610== 4,096 bytes in 1 blocks are still reachable in loss record 5 of
6
==2610== at 0x40212ED: realloc (vg_replace_malloc.c:306)
==2610== by 0x4221B94: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x42221E3: CRYPTO_realloc (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x426D084: lh_insert (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x426F283: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x426F7E5: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x428DC59: ERR_load_ASN1_strings (in
/lib/libcrypto.so.0.9.7f)
==2610== by 0x427064E: ERR_load_crypto_strings (in
/lib/libcrypto.so.0.9.7f)
==2610== by 0x806AFA1: zm_startup_openssl (in /usr/bin/php)
==2610== by 0x818898F: zend_startup_module (in /usr/bin/php)
==2610== by 0x815569E: php_startup_extensions (in /usr/bin/php)
==2610== by 0x81A02A4: php_startup_internal_extensions (in
/usr/bin/php)
==2610==
==2610==
==2610== 19,880 bytes in 1,591 blocks are still reachable in loss record 6
of 6
==2610== at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610== by 0x4221B69: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x4222110: CRYPTO_malloc (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x426CAFF: lh_new (in /lib/libcrypto.so.0.9.7f)
==2610== by 0x426F0CD: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x426F243: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x426F7E5: (within /lib/libcrypto.so.0.9.7f)
==2610== by 0x426F81E: ERR_load_ERR_strings (in
/lib/libcrypto.so.0.9.7f)
==2610== by 0x806AF97: zm_startup_openssl (in /usr/bin/php)
==2610== by 0x818898F: zend_startup_module (in /usr/bin/php)
==2610== by 0x815569E: php_startup_extensions (in /usr/bin/php)
==2610== by 0x81A02A4: php_startup_internal_extensions (in
/usr/bin/php)
==2610==
==2610== LEAK SUMMARY:
==2610== definitely lost: 248 bytes in 1 blocks.
==2610== indirectly lost: 972 bytes in 14 blocks.
==2610== possibly lost: 28 bytes in 1 blocks.
==2610== still reachable: 23,976 bytes in 1,592 blocks.
==2610== suppressed: 0 bytes in 0 blocks.
--
Edit bug report at http://bugs.php.net/?id=36480&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=36480&r=trysnapshot44
Try a CVS snapshot (PHP 5.1):
http://bugs.php.net/fix.php?id=36480&r=trysnapshot51
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=36480&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=36480&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=36480&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=36480&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=36480&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=36480&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=36480&r=support
Expected behavior: http://bugs.php.net/fix.php?id=36480&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=36480&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=36480&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=36480&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36480&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=36480&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=36480&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=36480&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=36480&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=36480&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=36480&r=mysqlcfg
