From 65913b352f64bf6f341765296fa2d7ba390ba07d Mon Sep 17 00:00:00 2001 From: Ryan O'Hara Date: Thu, 22 Dec 2022 23:55:05 -0600 Subject: [PATCH] Fix memory leak in HTTPS checks Resolves: #2134749 --- bz2134749-fix-memory-leak-https-checks.patch | 59 ++++++++++++++++++++ keepalived.spec | 7 ++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 bz2134749-fix-memory-leak-https-checks.patch diff --git a/bz2134749-fix-memory-leak-https-checks.patch b/bz2134749-fix-memory-leak-https-checks.patch new file mode 100644 index 0000000..716882a --- /dev/null +++ b/bz2134749-fix-memory-leak-https-checks.patch @@ -0,0 +1,59 @@ +From a06833b312523a563d0f3c8ddc7d52a24eb691df Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Thu, 13 Oct 2022 08:32:17 +0100 +Subject: [PATCH] ipvs: Work around OpenSSL memory leak in versions 3.0.0 to + 3.0.4 + +The memory leak was observed with OpenSSL 3.0.1, and it is resolved +by version 3.0.5. Also the leak is not observed in v1.1.1n. + +Signed-off-by: Quentin Armitage +--- + keepalived/check/check_ssl.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c +index 917ac0d7..3cae0415 100644 +--- a/keepalived/check/check_ssl.c ++++ b/keepalived/check/check_ssl.c +@@ -229,7 +229,25 @@ ssl_connect(thread_ref_t thread, int new_req) + BIO_get_fd(req->bio, &bio_fd); + if (fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC) == -1) + log_message(LOG_INFO, "Setting CLOEXEC failed on ssl socket - errno %d", errno); +-#ifdef HAVE_SSL_SET0_RBIO ++ ++ /* There is a memory leak in openSSL at least in version 3.0.1, which is fixed ++ * by version 3.0.5. It was not present in version 1.1.1n. Since I haven't been ++ * able to identify the OpenSSL patch that resolved the leak, we play safe and ++ * assume it is in versions 3.0.0 up to 3.0.4. ++ * The leak is memory allocated by ++ * p = OPENSSL_malloc(len); ++ * in ssl3_setup_write_buffer() in ssl/record/ssl_buffer.c ++ * ++ * It appears that setting SSL_MODE_RELEASE_BUFFERS causes the memory leak not ++ * to occur. ++ */ ++#ifdef OPENSSL_VERSION_MAJOR ++#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 && OPENSSL_VERSION_PATCH <= 4 ++ SSL_set_mode(req->ssl, SSL_MODE_RELEASE_BUFFERS); ++#endif ++#endif ++ ++#if defined HAVE_SSL_SET0_RBIO && defined HAVE_SSL_SET0_WBIO + BIO_up_ref(req->bio); + SSL_set0_rbio(req->ssl, req->bio); + SSL_set0_wbio(req->ssl, req->bio); +@@ -246,8 +264,8 @@ ssl_connect(thread_ref_t thread, int new_req) + vhost = checker->vs->virtualhost; + if (vhost) + SSL_set_tlsext_host_name(req->ssl, vhost); +- } +-#endif ++ }# ++endif + } + + ret = SSL_connect(req->ssl); +-- +2.38.1 + diff --git a/keepalived.spec b/keepalived.spec index 40fdef7..884bb0d 100644 --- a/keepalived.spec +++ b/keepalived.spec @@ -11,7 +11,7 @@ Name: keepalived Summary: High Availability monitor built upon LVS, VRRP and service pollers Version: 2.2.4 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ URL: http://www.keepalived.org/ @@ -20,6 +20,7 @@ Source1: keepalived.service Patch1: bz2028351-fix-dbus-policy-restrictions.patch Patch2: bz2102493-fix-variable-substitution.patch +Patch3: bz2134749-fix-memory-leak-https-checks.patch Requires(post): systemd Requires(preun): systemd @@ -62,6 +63,7 @@ infrastructures. %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %configure \ @@ -112,6 +114,9 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived %{_mandir}/man8/keepalived.8* %changelog +* Thu Dec 22 2022 Ryan O'Hara - 2.2.4-5 +- Fix memory leak in https checks (#2134749) + * Thu Dec 22 2022 Ryan O'Hara - 2.2.4-4 - Fix variable substitution in consditional lines (#2101493)