From: William Lallemand Date: Fri, 3 Apr 2026 08:58:48 +0000 (+0200) Subject: BUG/MINOR: ssl: fix memory leak in ssl_fc_crtname by using SSL_CTX ex_data index X-Git-Tag: v3.4-dev8~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e42f381bfc6ff62aaa5b9355d4b5dd763d6b19aa;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: fix memory leak in ssl_fc_crtname by using SSL_CTX ex_data index The ssl_crtname_index was registered with SSL_get_ex_new_index() but the certificate name is stored on a SSL_CTX object via SSL_CTX_set_ex_data(). The free callback is only invoked for the object type matching the index registration, so the strdup'd name was never freed when the SSL_CTX was released. Fix this by using SSL_CTX_get_ex_new_index() instead, which ensures the free callback fires when the SSL_CTX is destroyed. No backport needed. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 5c410f2a8..3ebd1b0d6 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -8506,7 +8506,7 @@ static void __ssl_sock_init(void) #endif ssl_client_crt_ref_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_clt_crt_free_func); ssl_client_sni_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_clt_sni_free_func); - ssl_crtname_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_free_crtname); + ssl_crtname_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_free_crtname); #if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE) ENGINE_load_builtin_engines();