rpms/keepalived
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix memory leak in HTTPS checks

Browse Source 
Resolves: #2134749
This commit is contained in:
Ryan O'Hara 2022-12-22 23:55:05 -06:00
parent 2625fb0d5e
commit 65913b352f
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
bz2134749-fix-memory-leak-https-checks.patch Normal file
View File

@ -0,0 +1,59 @@
From a06833b312523a563d0f3c8ddc7d52a24eb691df Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Thu, 13 Oct 2022 08:32:17 +0100
Subject: [PATCH] ipvs: Work around OpenSSL memory leak in versions 3.0.0 to
3.0.4
The memory leak was observed with OpenSSL 3.0.1, and it is resolved
by version 3.0.5. Also the leak is not observed in v1.1.1n.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
keepalived/check/check_ssl.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
index 917ac0d7..3cae0415 100644
--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
@@ -229,7 +229,25 @@ ssl_connect(thread_ref_t thread, int new_req)
BIO_get_fd(req->bio, &bio_fd);
if (fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC) == -1)
log_message(LOG_INFO, "Setting CLOEXEC failed on ssl socket - errno %d", errno);
-#ifdef HAVE_SSL_SET0_RBIO
+
+ /* There is a memory leak in openSSL at least in version 3.0.1, which is fixed
+ * by version 3.0.5. It was not present in version 1.1.1n. Since I haven't been
+ * able to identify the OpenSSL patch that resolved the leak, we play safe and
+ * assume it is in versions 3.0.0 up to 3.0.4.
+ * The leak is memory allocated by
+ * p = OPENSSL_malloc(len);
+ * in ssl3_setup_write_buffer() in ssl/record/ssl_buffer.c
+ *
+ * It appears that setting SSL_MODE_RELEASE_BUFFERS causes the memory leak not
+ * to occur.
+ */
+#ifdef OPENSSL_VERSION_MAJOR
+#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 && OPENSSL_VERSION_PATCH <= 4
+ SSL_set_mode(req->ssl, SSL_MODE_RELEASE_BUFFERS);
+#endif
+#endif
+
+#if defined HAVE_SSL_SET0_RBIO && defined HAVE_SSL_SET0_WBIO
BIO_up_ref(req->bio);
SSL_set0_rbio(req->ssl, req->bio);
SSL_set0_wbio(req->ssl, req->bio);
@@ -246,8 +264,8 @@ ssl_connect(thread_ref_t thread, int new_req)
vhost = checker->vs->virtualhost;
if (vhost)
SSL_set_tlsext_host_name(req->ssl, vhost);
- }
-#endif
+ }#
+endif
}
ret = SSL_connect(req->ssl);
--
2.38.1

7
keepalived.spec
View File

@ -11,7 +11,7 @@
Name: keepalived Name: keepalived
Summary: High Availability monitor built upon LVS, VRRP and service pollers Summary: High Availability monitor built upon LVS, VRRP and service pollers
Version: 2.2.4 Version: 2.2.4
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv2+ License: GPLv2+
URL: http://www.keepalived.org/ URL: http://www.keepalived.org/
@ -20,6 +20,7 @@ Source1: keepalived.service
Patch1: bz2028351-fix-dbus-policy-restrictions.patch Patch1: bz2028351-fix-dbus-policy-restrictions.patch
Patch2: bz2102493-fix-variable-substitution.patch Patch2: bz2102493-fix-variable-substitution.patch
Patch3: bz2134749-fix-memory-leak-https-checks.patch
Requires(post): systemd Requires(post): systemd
Requires(preun): systemd Requires(preun): systemd
@ -62,6 +63,7 @@ infrastructures.
%setup -q %setup -q
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%build %build
%configure \ %configure \
@ -112,6 +114,9 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
%{_mandir}/man8/keepalived.8* %{_mandir}/man8/keepalived.8*
%changelog %changelog
* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-5
- Fix memory leak in https checks (#2134749)
* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-4 * Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-4
- Fix variable substitution in consditional lines (#2101493) - Fix variable substitution in consditional lines (#2101493)