Merge r654119 from trunk:

* modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): Remove the call to
  CRYPTO_cleanup_all_ex_data here, fixing a per-connection memory leak
  which occurs if the client indicates support for a compression
  algorithm in the initial handshake, and mod_ssl is linked against
  OpenSSL >= 0.9.8f.

Thanks to Amund Elstad and Dr Stephen Henson for analysis of this
issue.

Submitted by: jorton
Reviewed by: rpluem, jim, fielding

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@657445 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b057d26990d01b7260c7ca64002879f9bdd65e9e..7d63562e43288b541cf001457a8c0c142a1ca45f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.9
 
+  *) mod_ssl: Fix a memory leak with connections that have zlib compression
+     turned on. PR 44975 [Joe Orton, Amund Elstad <Amund.Elstad ist.com>,
+     Dr Stephen Henson <steve openssl.org>]
+
   *) mod_proxy: Trigger a retry by the client in the case we fail to read the
      response line from the backend by closing the connection to the client.
      PR 37770 [Ruediger Pluem]

diff --git a/STATUS b/STATUS
index dcfe18261dbf03b74c6b73c34586358317013fb5..ee547f0e6b80f9459575c14473943b58f681af26 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -90,16 +90,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-* mod_ssl: Fix a memory leak with connections that have zlib compression
-  turned on. PR 44975 [Joe Orton, Amund Elstad <Amund.Elstad ist.com>, 
-  Dr Stephen Henson <steve openssl.org>]
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=654119&view=rev
-      Backport version for 2.2.x of patch:
-         Trunk version of patch works
-      +1: rpluem, jim, fielding
-
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 01d5b43bb95a87125932d57927a1a4ceb67b2f5a..ff6901674607d24fc87f7d58e59ea962b1f7f9c4 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -226,11 +226,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
     EVP_cleanup();
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
     ENGINE_cleanup();
-#endif
-#ifdef HAVE_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
-    CRYPTO_cleanup_all_ex_data();
-#endif
 #endif
     ERR_remove_state(0);
 
@@ -238,6 +233,12 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
      * actually load the error strings once per process due to static
      * variable abuse in OpenSSL. */
 
+    /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
+     * ex_data indices may have been cached in static variables in
+     * OpenSSL; removing them may cause havoc.  Notably, with OpenSSL
+     * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
+     * could result in a per-connection memory leak (!). */
+
     /*
      * TODO: determine somewhere we can safely shove out diagnostics
      *       (when enabled) at this late stage in the game: