|Summary:||Memory leak in function ssl_scache_dbm_retrieve().|
|Product:||Apache httpd-2||Reporter:||David Blake <dblake>|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Priority:||P3||Keywords:||FAQ, FixedInTrunk, MassUpdate, PatchAvailable|
|Attachments:||Patch containing fix for memory leak in ssl_scache_dbm_retrieve.|
Description David Blake 2003-12-19 21:49:54 UTC
A leak of 148 bytes happens everytime the function ssl_scache_dbm_retrieve() calls d2i_SSL_SESSION() because the buffer pointed to by ucpData, which is locally malloced in ssl_scache_dbm_retrieve is never freed. This really adds up over time. Also, since d2i_SSL_SESSION() changes the address pointed to by ucpData we need to save off a copy of the address in a temporary pointer so that we can actually free it. There are other source files that do the same thing but I want to get input on this one which is causing me problems. Attached is a patch file.
Comment 1 David Blake 2003-12-19 21:51:00 UTC
Created attachment 9649 [details] Patch containing fix for memory leak in ssl_scache_dbm_retrieve.
Comment 2 David Blake 2003-12-19 21:51:20 UTC
Comment 3 Joe Orton 2004-04-01 14:00:50 UTC
*** Bug 21376 has been marked as a duplicate of this bug. ***
Comment 4 Michael Straessle 2004-11-02 16:28:49 UTC
it seems we're affected by this bug too. we are running Apache/2.0.52 (Win32) mod_ssl/2.0.52 OpenSSL/0.9.7d on a NT box. apache is acting as SSL frontend and reverse proxy for a bunch of applications. the child process is starting at around 14M, rapidly growing to 30M and then constantly leaking memory. after 30k accesses, memory usage is at around 50M. as workaround, we set MaxRequestsPerChild 30000.
Comment 5 Joe Orton 2004-11-02 16:33:35 UTC
Switching to shmcb is the best workaround.
Comment 6 Michael Straessle 2004-11-03 08:52:20 UTC
Thanks. Somehow I was convinced that only dbm would work for SSLSessionCache on win32 platforms. This was the case in 1.3, IIRC.
Comment 7 Michael Straessle 2004-11-17 10:14:50 UTC
use of shmcb prevents memory leak as described in comment #4. I would have proposed to make shmcb the default for SSLSessionCache, but this has already been done in HEAD: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/docs/conf/ssl-std.conf.in?r1=1.6&r2=1.7 It would be great to see this backported to APACHE_2_0_BRANCH, eventualy with some update to docs (httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslsessioncache)
Comment 8 Joe Orton 2005-10-25 12:36:32 UTC
*** Bug 34039 has been marked as a duplicate of this bug. ***
Comment 10 William A. Rowe Jr. 2009-01-22 07:18:22 UTC
Sorry to anyone stuck in an infinite loop, see also Bug 44795 (mixed up bug, two issues, scroll to Michael's comments).
Comment 11 Michael Chen 2009-01-22 07:54:14 UTC
(In reply to comment #10) > Sorry to anyone stuck in an infinite loop, see also Bug 44795 (mixed up bug, > two issues, scroll to Michael's comments). It is actually Bug 44975 intead of 44795.
Comment 12 Stefan Fritsch 2011-06-13 20:38:19 UTC
Fixed in trunk by makeing the the ssl session cache use mod_slotmem*
Comment 13 William A. Rowe Jr. 2018-11-07 21:09:31 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.