From aced5b3b6c231cad6c51a52f4c9890553b14d179 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 25 Jun 2016 23:47:22 +0900 Subject: [PATCH] nghttpx: Fix memory leak from CertLookupTree --- src/shrpx_connection_handler.cc | 16 ++++++++-------- src/shrpx_connection_handler.h | 7 +++++++ src/shrpx_ssl.cc | 4 ++-- src/shrpx_ssl.h | 2 +- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc index 933a6092..af919514 100644 --- a/src/shrpx_connection_handler.cc +++ b/src/shrpx_connection_handler.cc @@ -202,10 +202,10 @@ void ConnectionHandler::worker_replace_downstream( } int ConnectionHandler::create_single_worker() { - auto cert_tree = ssl::create_cert_lookup_tree(); - auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree + cert_tree_ = ssl::create_cert_lookup_tree(); + auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree_.get() #ifdef HAVE_NEVERBLEED - , + , nb_.get() #endif // HAVE_NEVERBLEED ); @@ -234,7 +234,7 @@ int ConnectionHandler::create_single_worker() { } single_worker_ = make_unique( - loop_, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree, + loop_, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(), ticket_keys_, this, get_config()->conn.downstream); #ifdef HAVE_MRUBY if (single_worker_->create_mruby_context() != 0) { @@ -249,10 +249,10 @@ int ConnectionHandler::create_worker_thread(size_t num) { #ifndef NOTHREADS assert(workers_.size() == 0); - auto cert_tree = ssl::create_cert_lookup_tree(); - auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree + cert_tree_ = ssl::create_cert_lookup_tree(); + auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree_.get() #ifdef HAVE_NEVERBLEED - , + , nb_.get() #endif // HAVE_NEVERBLEED ); @@ -289,7 +289,7 @@ int ConnectionHandler::create_worker_thread(size_t num) { all_ssl_ctx_.push_back(session_cache_ssl_ctx); } auto worker = make_unique( - loop, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree, + loop, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(), ticket_keys_, this, get_config()->conn.downstream); #ifdef HAVE_MRUBY if (worker->create_mruby_context() != 0) { diff --git a/src/shrpx_connection_handler.h b/src/shrpx_connection_handler.h index 2003c5cf..1f9986af 100644 --- a/src/shrpx_connection_handler.h +++ b/src/shrpx_connection_handler.h @@ -61,6 +61,12 @@ struct TicketKeys; class MemcachedDispatcher; struct UpstreamAddr; +namespace ssl { + +class CertLookupTree; + +} // namespace ssl + struct OCSPUpdateContext { // ocsp response buffer std::vector resp; @@ -184,6 +190,7 @@ private: // Worker instance used when single threaded mode (-n1) is used. // Otherwise, nullptr and workers_ has instances of Worker instead. std::unique_ptr single_worker_; + std::unique_ptr cert_tree_; std::unique_ptr tls_ticket_key_memcached_dispatcher_; // Current TLS session ticket keys. Note that TLS connection does // not refer to this field directly. They use TicketKeys object in diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index e6ba31c0..c14ff605 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -1444,11 +1444,11 @@ void setup_downstream_http1_alpn(SSL *ssl) { #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L } -CertLookupTree *create_cert_lookup_tree() { +std::unique_ptr create_cert_lookup_tree() { if (!upstream_tls_enabled() || get_config()->tls.subcerts.empty()) { return nullptr; } - return new ssl::CertLookupTree(); + return make_unique(); } namespace { diff --git a/src/shrpx_ssl.h b/src/shrpx_ssl.h index a6086a97..5f31c7a7 100644 --- a/src/shrpx_ssl.h +++ b/src/shrpx_ssl.h @@ -212,7 +212,7 @@ void setup_downstream_http1_alpn(SSL *ssl); // Creates CertLookupTree. If frontend is configured not to use TLS, // this function returns nullptr. -CertLookupTree *create_cert_lookup_tree(); +std::unique_ptr create_cert_lookup_tree(); SSL *create_ssl(SSL_CTX *ssl_ctx);