nghttpx: Fix memory leak from CertLookupTree

src/shrpx_connection_handler.cc

@@ -202,10 +202,10 @@ void ConnectionHandler::worker_replace_downstream(
 }
 
 int ConnectionHandler::create_single_worker() {
-  auto cert_tree = ssl::create_cert_lookup_tree();
-  auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree
+  cert_tree_ = ssl::create_cert_lookup_tree();
+  auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree_.get()
 #ifdef HAVE_NEVERBLEED
-                                                  ,
+                                                                    ,
                                                   nb_.get()
 #endif // HAVE_NEVERBLEED
                                                       );
@@ -234,7 +234,7 @@ int ConnectionHandler::create_single_worker() {
   }
 
   single_worker_ = make_unique<Worker>(
-      loop_, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree,
+      loop_, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(),
       ticket_keys_, this, get_config()->conn.downstream);
 #ifdef HAVE_MRUBY
   if (single_worker_->create_mruby_context() != 0) {
@@ -249,10 +249,10 @@ int ConnectionHandler::create_worker_thread(size_t num) {
 #ifndef NOTHREADS
   assert(workers_.size() == 0);
 
-  auto cert_tree = ssl::create_cert_lookup_tree();
-  auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree
+  cert_tree_ = ssl::create_cert_lookup_tree();
+  auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree_.get()
 #ifdef HAVE_NEVERBLEED
-                                                  ,
+                                                                    ,
                                                   nb_.get()
 #endif // HAVE_NEVERBLEED
                                                       );
@@ -289,7 +289,7 @@ int ConnectionHandler::create_worker_thread(size_t num) {
       all_ssl_ctx_.push_back(session_cache_ssl_ctx);
     }
     auto worker = make_unique<Worker>(
-        loop, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree,
+        loop, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(),
         ticket_keys_, this, get_config()->conn.downstream);
 #ifdef HAVE_MRUBY
     if (worker->create_mruby_context() != 0) {

src/shrpx_connection_handler.h

@@ -61,6 +61,12 @@ struct TicketKeys;
 class MemcachedDispatcher;
 struct UpstreamAddr;
 
+namespace ssl {
+
+class CertLookupTree;
+
+} // namespace ssl
+
 struct OCSPUpdateContext {
   // ocsp response buffer
   std::vector<uint8_t> resp;
@@ -184,6 +190,7 @@ private:
   // Worker instance used when single threaded mode (-n1) is used.
   // Otherwise, nullptr and workers_ has instances of Worker instead.
   std::unique_ptr<Worker> single_worker_;
+  std::unique_ptr<ssl::CertLookupTree> cert_tree_;
   std::unique_ptr<MemcachedDispatcher> tls_ticket_key_memcached_dispatcher_;
   // Current TLS session ticket keys.  Note that TLS connection does
   // not refer to this field directly.  They use TicketKeys object in

src/shrpx_ssl.cc

@@ -1444,11 +1444,11 @@ void setup_downstream_http1_alpn(SSL *ssl) {
 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 }
 
-CertLookupTree *create_cert_lookup_tree() {
+std::unique_ptr<CertLookupTree> create_cert_lookup_tree() {
   if (!upstream_tls_enabled() || get_config()->tls.subcerts.empty()) {
     return nullptr;
   }
-  return new ssl::CertLookupTree();
+  return make_unique<CertLookupTree>();
 }
 
 namespace {

src/shrpx_ssl.h

@@ -212,7 +212,7 @@ void setup_downstream_http1_alpn(SSL *ssl);
 
 // Creates CertLookupTree.  If frontend is configured not to use TLS,
 // this function returns nullptr.
-CertLookupTree *create_cert_lookup_tree();
+std::unique_ptr<CertLookupTree> create_cert_lookup_tree();
 
 SSL *create_ssl(SSL_CTX *ssl_ctx);