Bug 25667 - Memory leak in function ssl_scache_dbm_retrieve().
Summary: Memory leak in function ssl_scache_dbm_retrieve().
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.1-HEAD
Hardware: PC All
: P3 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FAQ, FixedInTrunk, MassUpdate, PatchAvailable
: 21376 34039 (view as bug list)
Depends on:
Reported: 2003-12-19 21:49 UTC by David Blake
Modified: 2018-11-07 21:09 UTC (History)
2 users (show)

Patch containing fix for memory leak in ssl_scache_dbm_retrieve. (1.03 KB, patch)
2003-12-19 21:51 UTC, David Blake
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description David Blake 2003-12-19 21:49:54 UTC
A leak of 148 bytes happens everytime the function ssl_scache_dbm_retrieve() 
calls d2i_SSL_SESSION() because the buffer pointed to by ucpData, which is 
locally malloced in ssl_scache_dbm_retrieve is never freed.  This really adds 
up over time.

Also, since d2i_SSL_SESSION() changes the address pointed to by ucpData we 
need to save off a copy of the address in a temporary pointer so that we can 
actually free it.

There are other source files that do the same thing but I want to get input on 
this one which is causing me problems.  Attached is a patch file.
Comment 1 David Blake 2003-12-19 21:51:00 UTC
Created attachment 9649 [details]
Patch containing fix for memory leak in ssl_scache_dbm_retrieve.
Comment 2 David Blake 2003-12-19 21:51:20 UTC
Comment 3 Joe Orton 2004-04-01 14:00:50 UTC
*** Bug 21376 has been marked as a duplicate of this bug. ***
Comment 4 Michael Straessle 2004-11-02 16:28:49 UTC
it seems we're affected by this bug too.
we are running Apache/2.0.52 (Win32) mod_ssl/2.0.52 OpenSSL/0.9.7d on a NT box.
apache is acting as SSL frontend and reverse proxy for a bunch of applications.

the child process is starting at around 14M, rapidly growing to 30M and then
constantly leaking memory. after 30k accesses, memory usage is at around 50M.

as workaround, we set MaxRequestsPerChild 30000. 
Comment 5 Joe Orton 2004-11-02 16:33:35 UTC
Switching to shmcb is the best workaround.
Comment 6 Michael Straessle 2004-11-03 08:52:20 UTC
Thanks. Somehow I was convinced that only dbm would work for SSLSessionCache on
win32 platforms. This was the case in 1.3, IIRC.
Comment 7 Michael Straessle 2004-11-17 10:14:50 UTC
use of shmcb prevents memory leak as described in comment #4. I would have
proposed to make shmcb the default for SSLSessionCache, but this has already
been done in HEAD:

It would be great to see this backported to APACHE_2_0_BRANCH, eventualy with
some update to docs (httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslsessioncache)
Comment 8 Joe Orton 2005-10-25 12:36:32 UTC
*** Bug 34039 has been marked as a duplicate of this bug. ***
Comment 9 William A. Rowe Jr. 2009-01-22 07:17:40 UTC
See also notes in Bug 25667
Comment 10 William A. Rowe Jr. 2009-01-22 07:18:22 UTC
Sorry to anyone stuck in an infinite loop, see also Bug 44795 (mixed up bug,
two issues, scroll to Michael's comments).
Comment 11 Michael Chen 2009-01-22 07:54:14 UTC
(In reply to comment #10)
> Sorry to anyone stuck in an infinite loop, see also Bug 44795 (mixed up bug,
> two issues, scroll to Michael's comments).

It is actually Bug 44975 intead of 44795.
Comment 12 Stefan Fritsch 2011-06-13 20:38:19 UTC
Fixed in trunk by makeing the the ssl session cache use mod_slotmem*
Comment 13 William A. Rowe Jr. 2018-11-07 21:09:31 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.