* modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): Remove the call to

CRYPTO_cleanup_all_ex_data here, fixing a per-connection memory leak which occurs if the client indicates support for a compression algorithm in the initial handshake, and mod_ssl is linked against OpenSSL >= 0.9.8f. Thanks to Amund Elstad and Dr Stephen Henson for analysis of this issue. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@654119 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2008-05-07 14:17:31 +00:00
parent 0a8ec0f41c
commit 09e9ce3479
1 changed files with 6 additions and 5 deletions
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -217,11 +217,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
    EVP_cleanup();
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
    ENGINE_cleanup();
-#endif
-#ifdef HAVE_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
-    CRYPTO_cleanup_all_ex_data();
-#endif
 #endif
    ERR_remove_state(0);

@@ -229,6 +224,12 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
     * actually load the error strings once per process due to static
     * variable abuse in OpenSSL. */

+    /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
+     * ex_data indices may have been cached in static variables in
+     * OpenSSL; removing them may cause havoc.  Notably, with OpenSSL
+     * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
+     * could result in a per-connection memory leak (!). */
+
    /*
     * TODO: determine somewhere we can safely shove out diagnostics
     *       (when enabled) at this late stage in the game: