First Last Prev Next    This bug is not in your last search results.
Bug 27106 - Possible memory leak when accessing SSL port with plain HTTP
Possible memory leak when accessing SSL port with plain HTTP
Status: CLOSED FIXED
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl
2.0.48
PC Linux
: P3 normal (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
https://webmail.zedis.lv
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2004-02-20 11:22 UTC by Mick Wall
Modified: 2005-12-04 01:40 UTC (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mick Wall 2004-02-20 11:22:36 UTC 
I was running some tests with apachebench to get some performance timings, I 
inadvertantly gave a URL that was SSL enabled but with a http:// prefix.  If I 
do this from a browser I get the message 

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.


I was watching the memory footprint of httpd while doing this, and it grows 
RAPIDLY!,  here is a trace, dumped every 5 seconds

   40001 A   nsuser  48354  17728 104  60 20 3d144  6556        * 
11:10:29      -  0:01 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  79  60 20 3d144 171528        * 
11:10:29      -  0:06 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  76  60 20 3d144 418664        * 
11:10:29      -  0:10 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728   2  60 20 3d144 630156        * 
11:10:29      -  0:14 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728   0  60 20 3d144 630156        * 
11:10:29      -  0:14 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728   0  60 20 3d144 630156        * 
11:10:29      -  0:14 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728   0  60 20 3d144 630156        * 
11:10:29      -  0:14 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  23  60 20 3d144 631532        * 
11:10:29      -  0:14 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728 118  60 20 3d144 643608        * 
11:10:29      -  0:21 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  13  60 20 3d144 649964        * 
11:10:29      -  0:28 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  32  60 20 3d144 656148        * 
11:10:29      -  0:34 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  52  60 20 3d144 662140        * 
11:10:29      -  0:41 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  75  60 20 3d144 668276        * 
11:10:29      -  0:48 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728 109  60 20 3d144 674340        * 
11:10:29      -  0:54 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728 131  60 20 3d144 680632        * 
11:10:29      -  1:01 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  18  60 20 3d144 686904        * 
11:10:29      -  1:08 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  43  60 20 3d144 693064        * 
11:10:29      -  1:14 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  73  60 20 3d144 699364        * 
11:10:29      -  1:21 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  92  60 20 3d144 705672        * 
11:10:29      -  1:28 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728 110  60 20 3d144 711836        * 
11:10:29      -  1:34 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  12  60 20 3d144 718044        * 
11:10:29      -  1:41 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  36  60 20 3d144 724340        * 
11:10:29      -  1:48 lt-httpd -k start -DSSL
   40001 A   nsuser  48354  17728  57  60 20 3d144 730148        * 


Shortly after this the process crashed.

Regards

Mick
Comment 1 Joe Orton 2004-02-25 10:55:41 UTC 
Ouch! Thanks for the report, the fix is here:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.117&r2=1.118

this change will be proposed for inclusion in the next 2.0 release.
Comment 2 Mark Cox 2004-03-03 10:08:21 UTC 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0113 to this issue.
Comment 3 Joe Orton 2004-03-09 14:11:39 UTC 
There was a minor bug in the patch posted previously; the better fix is below:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&r2=1.100.2.12
Comment 4 zedis 2004-03-10 07:12:52 UTC 
adfgsdfg
First Last Prev Next    This bug is not in your last search results.