Backport to v2.4:

  *) mod_ssl: release memory to the OS when needed
     Trunk version of patch:
       https://svn.apache.org/r1898410
       https://svn.apache.org/r1898366
        svn merge -c 1898366 ^/httpd/httpd/trunk .
        svn merge -c 1898410 ^/httpd/httpd/trunk .
     +1: gbechis, ylavic, jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913909 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 80b75cdc2b85d8f7e6c8a80e19513133cbfef4e3..0623f110319ce65379062f911585b3b1710f52b5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.59
 
+  *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
+
   *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
      some dollar substitution (backreference) happens in the hostname or port
      part of the URL.  [Yann Ylavic]

diff --git a/STATUS b/STATUS
index 4d012c1b70c61f2f7bc0781135a382a4f95df8a2..ca3ed677553396d863b3ce4845995544ee4bc8e3 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -153,13 +153,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: release memory to the OS when needed
-     Trunk version of patch:
-       https://svn.apache.org/r1898410
-       https://svn.apache.org/r1898366
-        svn merge -c 1898366 ^/httpd/httpd/trunk .
-        svn merge -c 1898410 ^/httpd/httpd/trunk .
-     +1: gbechis, ylavic, jorton
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e5d8f68a596792557b986717708e4d1294970be4..dc51a680f079ae3014f54acec835258263a24a46 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1765,6 +1765,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)
                      "SSL proxy client cert initialization failed");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+        sk_X509_INFO_free(sk);
         return ssl_die(s);
     }
 
@@ -1774,7 +1775,11 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
         int i;
 
         X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n);
-        X509_STORE_CTX_init(sctx, store, inf->x509, NULL);
+        if (!X509_STORE_CTX_init(sctx, store, inf->x509, NULL)) {
+            sk_X509_INFO_free(sk);
+            X509_STORE_CTX_free(sctx);
+            return ssl_die(s);
+        }
 
         /* Attempt to verify the client cert */
         if (X509_verify_cert(sctx) != 1) {

diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
index b9c8a0b850e1cec468e3b9652b1c9faf23aa0cf1..a202a72ee1084df0f5ea5b59cf399aba5ab25199 100644 (file)
--- a/modules/ssl/ssl_util_ocsp.c
+++ b/modules/ssl/ssl_util_ocsp.c
@@ -370,8 +370,11 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
     while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
         if (!other_certs) {
                 other_certs = sk_X509_new_null();
-                if (!other_certs)
+                if (!other_certs) {
+                        X509_free(x509);
+                        BIO_free(bio);
                         return NULL;
+                }
         }
                 
         if (!sk_X509_push(other_certs, x509)) {

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index c9d1d8e13d8bd5d80ff822eb2b74c4480d0f4bb3..a2ed99b527003ed4d6bef6f9516a56d093da5fc7 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -117,8 +117,10 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
     }
 
     inctx = X509_STORE_CTX_new();
-    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
+    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) {
+        X509_STORE_CTX_free(inctx);
         return 0;
+    }
     if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
         issuer = NULL;
     X509_STORE_CTX_cleanup(inctx);