Fix memory leak in HTTPS checks

Resolves: #2134749
2022-12-22 23:55:05 -06:00 · 2022-12-22 23:55:05 -06:00 · 65913b352f
commit 65913b352f
parent 2625fb0d5e
2 changed files with 65 additions and 1 deletions
--- a/bz2134749-fix-memory-leak-https-checks.patch
+++ b/bz2134749-fix-memory-leak-https-checks.patch
@ -0,0 +1,59 @@
+From a06833b312523a563d0f3c8ddc7d52a24eb691df Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Thu, 13 Oct 2022 08:32:17 +0100
+Subject: [PATCH] ipvs: Work around OpenSSL memory leak in versions 3.0.0 to
+ 3.0.4
+
+The memory leak was observed with OpenSSL 3.0.1, and it is resolved
+by version 3.0.5. Also the leak is not observed in v1.1.1n.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/check/check_ssl.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
+index 917ac0d7..3cae0415 100644
+--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
+@@ -229,7 +229,25 @@ ssl_connect(thread_ref_t thread, int new_req)
+ 		BIO_get_fd(req->bio, &bio_fd);
+ 		if (fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC) == -1)
+ 			log_message(LOG_INFO, "Setting CLOEXEC failed on ssl socket - errno %d", errno);
+-#ifdef HAVE_SSL_SET0_RBIO
+
+		/* There is a memory leak in openSSL at least in version 3.0.1, which is fixed
+		 * by version 3.0.5. It was not present in version 1.1.1n. Since I haven't been
+		 * able to identify the OpenSSL patch that resolved the leak, we play safe and
+		 * assume it is in versions 3.0.0 up to 3.0.4.
+		 * The leak is memory allocated by
+		 *   p = OPENSSL_malloc(len);
+		 * in ssl3_setup_write_buffer() in ssl/record/ssl_buffer.c
+		 *
+		 * It appears that setting SSL_MODE_RELEASE_BUFFERS causes the memory leak not
+		 * to occur.
+		 */
+#ifdef OPENSSL_VERSION_MAJOR
+#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 && OPENSSL_VERSION_PATCH <= 4
+		SSL_set_mode(req->ssl, SSL_MODE_RELEASE_BUFFERS);
+#endif
+#endif
+
+#if defined HAVE_SSL_SET0_RBIO && defined HAVE_SSL_SET0_WBIO
+ 		BIO_up_ref(req->bio);
+ 		SSL_set0_rbio(req->ssl, req->bio);
+ 		SSL_set0_wbio(req->ssl, req->bio);
+@@ -246,8 +264,8 @@ ssl_connect(thread_ref_t thread, int new_req)
+ 				vhost = checker->vs->virtualhost;
+ 			if (vhost)
+ 				SSL_set_tlsext_host_name(req->ssl, vhost);
+-		}
+-#endif
+		}#
+endif
+ 	}
+ 
+ 	ret = SSL_connect(req->ssl);
+-- 
+2.38.1
+
--- a/keepalived.spec
+++ b/keepalived.spec
@ -11,7 +11,7 @@
 Name: keepalived
 Summary: High Availability monitor built upon LVS, VRRP and service pollers
 Version: 2.2.4
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 URL: http://www.keepalived.org/

@ -20,6 +20,7 @@ Source1: keepalived.service

 Patch1: bz2028351-fix-dbus-policy-restrictions.patch
 Patch2: bz2102493-fix-variable-substitution.patch
+Patch3: bz2134749-fix-memory-leak-https-checks.patch

 Requires(post): systemd
 Requires(preun): systemd
@ -62,6 +63,7 @@ infrastructures.
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %build
 %configure \
@ -112,6 +114,9 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man8/keepalived.8*

 %changelog
+* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-5
+- Fix memory leak in https checks (#2134749)
+
 * Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-4
 - Fix variable substitution in consditional lines (#2101493)