https://bugs.openldap.org/show_bug.cgi?id=9696
Issue ID: 9696 Summary: OpenSSL implementation of LDAP_OPT_X_TLS_PEERCERT leaks memory Product: OpenLDAP Version: 2.4.57 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: cheimes@redhat.com Target Milestone: ---
The OpenSSL implementation of ldap_get_option() LDAP_OPT_X_TLS_PEERCERT leaks memory. The internal function tlso_session_peercert() uses SSL_get_peer_certificate() to access the server certificate. SSL_get_peer_certificate() increases the reference counter of the peer cert by one. The code is missing a X509_free() call to decref the internal reference counter by one.
I also recommend that you check the return value of SSL_get_peer_certificate() for NULL. There are cases when a TLS session does not have access to a peer certificate, e.g. session resumption.
Valgrind log:
==586962== 16,044 (1,056 direct, 14,988 indirect) bytes in 3 blocks are definitely lost in loss record 6,355 of 6,374 ==586962== at 0x484086F: malloc (vg_replace_malloc.c:380) ==586962== by 0x16981A4D: CRYPTO_zalloc (mem.c:230) ==586962== by 0x168CC823: asn1_item_embed_new (tasn_new.c:122) ==586962== by 0x168CE12A: asn1_item_embed_d2i (tasn_dec.c:325) ==586962== by 0x168CE341: ASN1_item_ex_d2i (tasn_dec.c:124) ==586962== by 0x168CE3CE: ASN1_item_d2i (tasn_dec.c:114) ==586962== by 0x1744B7CC: tls_process_server_certificate (statem_clnt.c:1853)
https://bugs.openldap.org/show_bug.cgi?id=9696
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #1 from Howard Chu hyc@openldap.org --- (In reply to cheimes@redhat.com from comment #0)
The OpenSSL implementation of ldap_get_option() LDAP_OPT_X_TLS_PEERCERT leaks memory. The internal function tlso_session_peercert() uses SSL_get_peer_certificate() to access the server certificate. SSL_get_peer_certificate() increases the reference counter of the peer cert by one. The code is missing a X509_free() call to decref the internal reference counter by one.
I also recommend that you check the return value of SSL_get_peer_certificate() for NULL. There are cases when a TLS session does not have access to a peer certificate, e.g. session resumption.
Thanks for the report. Fixed in git master
https://bugs.openldap.org/show_bug.cgi?id=9696
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.4.59 Keywords|needs_review |
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • d285c051 by Howard Chu at 2021-09-15T13:03:13+01:00 ITS#9686 plug peercert memleak
https://bugs.openldap.org/show_bug.cgi?id=9696
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.4.59 |2.5.8
https://bugs.openldap.org/show_bug.cgi?id=9696
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• a01f5e4e by Howard Chu at 2021-09-15T15:39:14+00:00 ITS#9696 plug peercert memleak
RE25:
• 927e0ec6 by Howard Chu at 2021-09-15T15:48:19+00:00 ITS#9696 plug peercert memleak
https://bugs.openldap.org/show_bug.cgi?id=9696
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Resolution|TEST |FIXED
-
openldap-its@openldap.org