From 379115153cdbc130039b2048441e6ff8db8e009d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 29 Apr 2026 10:47:58 +0200 Subject: [PATCH] Resolves: RHEL-169992 - Setting "http_reply_access" in squid.conf causes a memory leak --- squid-6.10-memleak-http-reply.patch | 626 ++++++++++++++++++++++++++++ squid.spec | 8 +- 2 files changed, 633 insertions(+), 1 deletion(-) create mode 100644 squid-6.10-memleak-http-reply.patch diff --git a/squid-6.10-memleak-http-reply.patch b/squid-6.10-memleak-http-reply.patch new file mode 100644 index 0000000..473e6de --- /dev/null +++ b/squid-6.10-memleak-http-reply.patch @@ -0,0 +1,626 @@ +From 75956c6d8c08fb5c046148a75f53400ca3066901 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 29 Apr 2026 10:38:46 +0200 +Subject: [PATCH] Setting "http_reply_access" in squid.conf causes a memory + leak + +Backported https://github.com/squid-cache/squid/pull/1764/ +--- + src/AclRegs.cc | 4 ++-- + src/DelayId.cc | 5 +---- + src/HttpHeaderTools.cc | 12 ++---------- + src/HttpReply.cc | 3 +-- + src/Notes.cc | 6 ++---- + src/acl/ConnectionsEncrypted.cc | 4 ++-- + src/acl/FilledChecklist.cc | 26 ++++++++++++++++++++------ + src/acl/FilledChecklist.h | 17 +++++++++++++++-- + src/acl/HttpHeaderData.cc | 10 ++++------ + src/acl/HttpHeaderData.h | 4 ++-- + src/acl/HttpRepHeader.cc | 5 +++-- + src/acl/HttpRepHeader.h | 2 +- + src/acl/HttpReqHeader.cc | 5 +++-- + src/acl/HttpReqHeader.h | 2 +- + src/acl/HttpStatus.cc | 2 +- + src/acl/ReplyHeaderStrategy.h | 2 +- + src/acl/ReplyMimeType.h | 3 ++- + src/adaptation/AccessCheck.cc | 5 ++--- + src/adaptation/icap/Launcher.cc | 3 +-- + src/adaptation/icap/icap_log.cc | 5 +---- + src/auth/UserRequest.cc | 3 +-- + src/client_side.cc | 24 ++++-------------------- + src/client_side_reply.cc | 7 ++----- + src/clients/Client.cc | 5 ++--- + src/http.cc | 5 ++--- + src/http/Stream.cc | 3 +-- + src/neighbors.cc | 6 +----- + 27 files changed, 80 insertions(+), 98 deletions(-) + +diff --git a/src/AclRegs.cc b/src/AclRegs.cc +index 166e3bd..f38fa01 100644 +--- a/src/AclRegs.cc ++++ b/src/AclRegs.cc +@@ -130,8 +130,8 @@ Acl::Init() + RegisterMaker("dstdom_regex", [](TypeName name)->ACL* { return new ACLStrategised(new ACLRegexData, new ACLDestinationDomainStrategy, name); }); + RegisterMaker("dst", [](TypeName)->ACL* { return new ACLDestinationIP; }); // XXX: Add name parameter to ctor + RegisterMaker("hier_code", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHierCodeData, new ACLHierCodeStrategy, name); }); +- RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); }); +- RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); }); ++ RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); }); ++ RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); }); + RegisterMaker("http_status", [](TypeName name)->ACL* { return new ACLHTTPStatus(name); }); + RegisterMaker("maxconn", [](TypeName name)->ACL* { return new ACLMaxConnection(name); }); + RegisterMaker("method", [](TypeName name)->ACL* { return new ACLStrategised(new ACLMethodData, new ACLMethodStrategy, name); }); +diff --git a/src/DelayId.cc b/src/DelayId.cc +index 0e86d3d..319451a 100644 +--- a/src/DelayId.cc ++++ b/src/DelayId.cc +@@ -87,10 +87,7 @@ DelayId::DelayClient(ClientHttpRequest * http, HttpReply *reply) + + ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, nullptr); + clientAclChecklistFill(ch, http); +- if (!ch.reply && reply) { +- ch.reply = reply; +- HTTPMSGLOCK(reply); +- } ++ ch.updateReply(reply); + // overwrite ACLFilledChecklist acl_uses_indirect_client-based decision + #if FOLLOW_X_FORWARDED_FOR + if (Config.onoff.delay_pool_uses_indirect_client) +diff --git a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc +index 938f928..b19f6d5 100644 +--- a/src/HttpHeaderTools.cc ++++ b/src/HttpHeaderTools.cc +@@ -289,11 +289,7 @@ httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request, HeaderManglers *hms, c + + ACLFilledChecklist checklist(hm->access_list, request, nullptr); + +- checklist.al = al; +- if (al && al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(al); + + // XXX: The two "It was denied" clauses below mishandle cases with no + // matching rules, violating the "If no rules within the set have matching +@@ -489,11 +485,7 @@ httpHdrAdd(HttpHeader *heads, HttpRequest *request, const AccessLogEntryPointer + { + ACLFilledChecklist checklist(nullptr, request, nullptr); + +- checklist.al = al; +- if (al && al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(al); + + for (HeaderWithAclList::const_iterator hwa = headersAdd.begin(); hwa != headersAdd.end(); ++hwa) { + if (!hwa->aclList || checklist.fastCheck(hwa->aclList).allowed()) { +diff --git a/src/HttpReply.cc b/src/HttpReply.cc +index 47597be..ea62618 100644 +--- a/src/HttpReply.cc ++++ b/src/HttpReply.cc +@@ -596,8 +596,7 @@ HttpReply::calcMaxBodySize(HttpRequest& request) const + + ACLFilledChecklist ch(nullptr, &request, nullptr); + // XXX: cont-cast becomes irrelevant when checklist is HttpReply::Pointer +- ch.reply = const_cast(this); +- HTTPMSGLOCK(ch.reply); ++ ch.updateReply(this); + for (AclSizeLimit *l = Config.ReplyBodySize; l; l = l -> next) { + /* if there is no ACL list or if the ACLs listed match use this size value */ + if (!l->aclList || ch.fastCheck(l->aclList).allowed()) { +diff --git a/src/Notes.cc b/src/Notes.cc +index cba2c71..460cad1 100644 +--- a/src/Notes.cc ++++ b/src/Notes.cc +@@ -70,11 +70,9 @@ bool + Note::match(HttpRequest *request, HttpReply *reply, const AccessLogEntry::Pointer &al, SBuf &matched) + { + ACLFilledChecklist ch(nullptr, request, nullptr); +- ch.al = al; +- ch.reply = reply; ++ ch.updateAle(al); ++ ch.updateReply(reply); + ch.syncAle(request, nullptr); +- if (reply) +- HTTPMSGLOCK(ch.reply); + + for (const auto &v: values) { + assert(v->aclList); +diff --git a/src/acl/ConnectionsEncrypted.cc b/src/acl/ConnectionsEncrypted.cc +index 3ae45df..12b7eae 100644 +--- a/src/acl/ConnectionsEncrypted.cc ++++ b/src/acl/ConnectionsEncrypted.cc +@@ -55,8 +55,8 @@ Acl::ConnectionsEncrypted::match(ACLChecklist *checklist) + + const bool safeRequest = + !(filled->request->sources & Http::Message::srcUnsafe); +- const bool safeReply = !filled->reply || +- !(filled->reply->sources & Http::Message::srcUnsafe); ++ const bool safeReply = !filled->hasReply() || ++ !(filled->reply().sources & Http::Message::srcUnsafe); + + return (safeRequest && safeReply) ? 1 : 0; + } +diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc +index 2855401..bd4b88b 100644 +--- a/src/acl/FilledChecklist.cc ++++ b/src/acl/FilledChecklist.cc +@@ -27,7 +27,6 @@ CBDATA_CLASS_INIT(ACLFilledChecklist); + ACLFilledChecklist::ACLFilledChecklist() : + dst_rdns(nullptr), + request (nullptr), +- reply (nullptr), + #if USE_AUTH + auth_user_request (nullptr), + #endif +@@ -54,8 +53,6 @@ ACLFilledChecklist::~ACLFilledChecklist() + + HTTPMSGUNLOCK(request); + +- HTTPMSGUNLOCK(reply); +- + cbdataReferenceDone(conn_); + + debugs(28, 4, "ACLFilledChecklist destroyed " << this); +@@ -107,9 +104,9 @@ ACLFilledChecklist::verifyAle() const + } + } + +- if (reply && !al->reply) { ++ if (hasReply() && !al->reply) { + showDebugWarning("HttpReply object"); +- al->reply = reply; ++ al->reply = reply_; + } + + #if USE_IDENT +@@ -214,7 +211,6 @@ ACLFilledChecklist::markSourceDomainChecked() + ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request, const char *ident): + dst_rdns(nullptr), + request(nullptr), +- reply(nullptr), + #if USE_AUTH + auth_user_request(nullptr), + #endif +@@ -268,3 +264,21 @@ ACLFilledChecklist::setIdent(const char *ident) + #endif + } + ++void ++ACLFilledChecklist::updateAle(const AccessLogEntry::Pointer &a) ++{ ++ if (!a) ++ return; ++ ++ al = a; // could have been set already (to a different value) ++ if (!request) ++ setRequest(a->request); ++ updateReply(a->reply); ++} ++ ++void ++ACLFilledChecklist::updateReply(const HttpReply::Pointer &r) ++{ ++ if (r) ++ reply_ = r; // may already be set, including to r ++} +diff --git a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h +index 1c289b5..4c3960e 100644 +--- a/src/acl/FilledChecklist.h ++++ b/src/acl/FilledChecklist.h +@@ -14,6 +14,8 @@ + #include "acl/forward.h" + #include "base/CbcPointer.h" + #include "error/forward.h" ++#include "HttpReply.h" ++#include "HttpRequest.h" + #include "ip/Address.h" + #if USE_AUTH + #include "auth/UserRequest.h" +@@ -42,6 +44,7 @@ public: + void setRequest(HttpRequest *); + /// configure rfc931 user identity for the first time + void setIdent(const char *userIdentity); ++ void updateAle(const AccessLogEntry::Pointer &); + + public: + /// The client connection manager +@@ -57,6 +60,14 @@ public: + + //int authenticated(); + ++ /// response added by updateReply() ++ /// \prec hasReply() ++ const HttpReply &reply() const { return *reply_; } ++ ++ /// Remembers the given response (if it is not nil) or does nothing ++ /// (otherwise). ++ void updateReply(const HttpReply::Pointer &); ++ + bool destinationDomainChecked() const; + void markDestinationDomainChecked(); + bool sourceDomainChecked() const; +@@ -64,7 +75,7 @@ public: + + // ACLChecklist API + bool hasRequest() const override { return request != nullptr; } +- bool hasReply() const override { return reply != nullptr; } ++ bool hasReply() const override { return reply_ != nullptr; } + bool hasAle() const override { return al != nullptr; } + void syncAle(HttpRequest *adaptedRequest, const char *logUri) const override; + void verifyAle() const override; +@@ -77,7 +88,6 @@ public: + char *dst_rdns; + + HttpRequest *request; +- HttpReply *reply; + + char rfc931[USER_IDENT_SZ]; + #if USE_AUTH +@@ -108,6 +118,9 @@ public: + private: + ConnStateData * conn_; /**< hack for ident and NTLM */ + int fd_; /**< may be available when conn_ is not */ ++ ++ HttpReply::Pointer reply_; ///< response added by updateReply() or nil ++ + bool destinationDomainChecked_; + bool sourceDomainChecked_; + /// not implemented; will cause link failures if used +diff --git a/src/acl/HttpHeaderData.cc b/src/acl/HttpHeaderData.cc +index 2db401e..a88ab93 100644 +--- a/src/acl/HttpHeaderData.cc ++++ b/src/acl/HttpHeaderData.cc +@@ -36,20 +36,18 @@ ACLHTTPHeaderData::~ACLHTTPHeaderData() + } + + bool +-ACLHTTPHeaderData::match(HttpHeader* hdr) ++ACLHTTPHeaderData::match(const HttpHeader &hdr) + { +- if (hdr == nullptr) +- return false; + + debugs(28, 3, "aclHeaderData::match: checking '" << hdrName << "'"); + + String value; + if (hdrId != Http::HdrType::BAD_HDR) { +- if (!hdr->has(hdrId)) ++ if (!hdr.has(hdrId)) + return false; +- value = hdr->getStrOrList(hdrId); ++ value = hdr.getStrOrList(hdrId); + } else { +- if (!hdr->hasNamed(hdrName, &value)) ++ if (!hdr.hasNamed(hdrName, &value)) + return false; + } + +diff --git a/src/acl/HttpHeaderData.h b/src/acl/HttpHeaderData.h +index 5036d11..fc103eb 100644 +--- a/src/acl/HttpHeaderData.h ++++ b/src/acl/HttpHeaderData.h +@@ -14,14 +14,14 @@ + #include "sbuf/SBuf.h" + #include "SquidString.h" + +-class ACLHTTPHeaderData : public ACLData ++class ACLHTTPHeaderData: public ACLData + { + MEMPROXY_CLASS(ACLHTTPHeaderData); + + public: + ACLHTTPHeaderData(); + ~ACLHTTPHeaderData() override; +- bool match(HttpHeader* hdr) override; ++ bool match(const HttpHeader &) override; + SBufList dump() const override; + void parse() override; + bool empty() const override; +diff --git a/src/acl/HttpRepHeader.cc b/src/acl/HttpRepHeader.cc +index 819a0e7..530625d 100644 +--- a/src/acl/HttpRepHeader.cc ++++ b/src/acl/HttpRepHeader.cc +@@ -13,8 +13,9 @@ + #include "HttpReply.h" + + int +-ACLHTTPRepHeaderStrategy::match (ACLData * &data, ACLFilledChecklist *checklist) ++ACLHTTPRepHeaderStrategy::match (ACLData * &data, ACLFilledChecklist * const ch) + { +- return data->match (&checklist->reply->header); ++ const auto checklist = Filled(ch); ++ return data->match(checklist->reply().header); + } + +diff --git a/src/acl/HttpRepHeader.h b/src/acl/HttpRepHeader.h +index 3257b55..ede1fe9 100644 +--- a/src/acl/HttpRepHeader.h ++++ b/src/acl/HttpRepHeader.h +@@ -14,7 +14,7 @@ + #include "HttpHeader.h" + + /// \ingroup ACLAPI +-class ACLHTTPRepHeaderStrategy : public ACLStrategy ++class ACLHTTPRepHeaderStrategy : public ACLStrategy + { + + public: +diff --git a/src/acl/HttpReqHeader.cc b/src/acl/HttpReqHeader.cc +index 58911ae..742aff2 100644 +--- a/src/acl/HttpReqHeader.cc ++++ b/src/acl/HttpReqHeader.cc +@@ -13,8 +13,9 @@ + #include "HttpRequest.h" + + int +-ACLHTTPReqHeaderStrategy::match (ACLData * &data, ACLFilledChecklist *checklist) ++ACLHTTPReqHeaderStrategy::match (ACLData * &data, ACLFilledChecklist * const ch) + { +- return data->match (&checklist->request->header); ++ const auto checklist = Filled(ch); ++ return data->match (checklist->request->header); + } + +diff --git a/src/acl/HttpReqHeader.h b/src/acl/HttpReqHeader.h +index c6cdc74..e43866a 100644 +--- a/src/acl/HttpReqHeader.h ++++ b/src/acl/HttpReqHeader.h +@@ -13,7 +13,7 @@ + #include "HttpHeader.h" + + /// \ingroup ACLAPI +-class ACLHTTPReqHeaderStrategy : public ACLStrategy ++class ACLHTTPReqHeaderStrategy : public ACLStrategy + { + + public: +diff --git a/src/acl/HttpStatus.cc b/src/acl/HttpStatus.cc +index 1cda99e..dbead17 100644 +--- a/src/acl/HttpStatus.cc ++++ b/src/acl/HttpStatus.cc +@@ -116,7 +116,7 @@ aclParseHTTPStatusList(Splay **curlist) + int + ACLHTTPStatus::match(ACLChecklist *checklist) + { +- return aclMatchHTTPStatus(&data, Filled(checklist)->reply->sline.status()); ++ return aclMatchHTTPStatus(&data, Filled(checklist)->reply().sline.status()); + } + + int +diff --git a/src/acl/ReplyHeaderStrategy.h b/src/acl/ReplyHeaderStrategy.h +index 7a246b5..424f0a6 100644 +--- a/src/acl/ReplyHeaderStrategy.h ++++ b/src/acl/ReplyHeaderStrategy.h +@@ -28,7 +28,7 @@ template + int + ACLReplyHeaderStrategy
::match (ACLData * &data, ACLFilledChecklist *checklist) + { +- char const *theHeader = checklist->reply->header.getStr(header); ++ char const *theHeader = checklist->reply().header.getStr(header); + + if (nullptr == theHeader) + return 0; +diff --git a/src/acl/ReplyMimeType.h b/src/acl/ReplyMimeType.h +index 8dcd970..28f3f3d 100644 +--- a/src/acl/ReplyMimeType.h ++++ b/src/acl/ReplyMimeType.h +@@ -19,7 +19,8 @@ template <> + inline int + ACLReplyHeaderStrategy::match(ACLData * &data, ACLFilledChecklist *checklist) + { +- char const *theHeader = checklist->reply->header.getStr(Http::HdrType::CONTENT_TYPE); ++ char const *theHeader = checklist->reply().header.getStr(Http::HdrType::CONTENT_TYPE); ++ + + if (nullptr == theHeader) + theHeader = ""; +diff --git a/src/adaptation/AccessCheck.cc b/src/adaptation/AccessCheck.cc +index 279bdc3..35b2dae 100644 +--- a/src/adaptation/AccessCheck.cc ++++ b/src/adaptation/AccessCheck.cc +@@ -131,9 +131,8 @@ Adaptation::AccessCheck::checkCandidates() + /* BUG 2526: what to do when r->acl is empty?? */ + // XXX: we do not have access to conn->rfc931 here. + acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str); +- if ((acl_checklist->reply = filter.reply)) +- HTTPMSGLOCK(acl_checklist->reply); +- acl_checklist->al = filter.al; ++ acl_checklist->updateAle(filter.al); ++ acl_checklist->updateReply(filter.reply); + acl_checklist->syncAle(filter.request, nullptr); + acl_checklist->nonBlockingCheck(AccessCheckCallbackWrapper, this); + return; +diff --git a/src/adaptation/icap/Launcher.cc b/src/adaptation/icap/Launcher.cc +index eed6978..71b8818 100644 +--- a/src/adaptation/icap/Launcher.cc ++++ b/src/adaptation/icap/Launcher.cc +@@ -142,8 +142,7 @@ bool Adaptation::Icap::Launcher::canRepeat(Adaptation::Icap::XactAbortInfo &info + + ACLFilledChecklist *cl = + new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str); +- cl->reply = info.icapReply; +- HTTPMSGLOCK(cl->reply); ++ cl->updateReply(info.icapReply); + + bool result = cl->fastCheck().allowed(); + delete cl; +diff --git a/src/adaptation/icap/icap_log.cc b/src/adaptation/icap/icap_log.cc +index 44522f3..fdfba8d 100644 +--- a/src/adaptation/icap/icap_log.cc ++++ b/src/adaptation/icap/icap_log.cc +@@ -61,10 +61,7 @@ void icapLogLog(AccessLogEntry::Pointer &al) + { + if (IcapLogfileStatus == LOG_ENABLE) { + ACLFilledChecklist checklist(nullptr, al->adapted_request, nullptr); +- if (al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(al); + accessLogLogTo(Config.Log.icaplogs, al, &checklist); + } + } +diff --git a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc +index 3b91676..57a29c5 100644 +--- a/src/auth/UserRequest.cc ++++ b/src/auth/UserRequest.cc +@@ -466,8 +466,7 @@ schemesConfig(HttpRequest *request, HttpReply *rep) + { + if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) { + ACLFilledChecklist ch(nullptr, request, nullptr); +- ch.reply = rep; +- HTTPMSGLOCK(ch.reply); ++ ch.updateReply(rep); + const auto answer = ch.fastCheck(Auth::TheConfig.schemeAccess); + if (answer.allowed()) + return Auth::TheConfig.schemeLists.at(answer.kind).authConfigs; +diff --git a/src/client_side.cc b/src/client_side.cc +index b266a3f..f08cb04 100644 +--- a/src/client_side.cc ++++ b/src/client_side.cc +@@ -446,31 +446,19 @@ ClientHttpRequest::logRequest() + } + // The al->notes and request->notes must point to the same object. + al->syncNotes(request); +- } +- +- ACLFilledChecklist checklist(nullptr, request, nullptr); +- if (al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } +- +- if (request) { + HTTPMSGUNLOCK(al->adapted_request); + al->adapted_request = request; + HTTPMSGLOCK(al->adapted_request); + } ++ ACLFilledChecklist checklist(nullptr, request, nullptr); ++ checklist.updateAle(al); + // no need checklist.syncAle(): already synced +- checklist.al = al; + accessLogLog(al, &checklist); + + bool updatePerformanceCounters = true; + if (Config.accessList.stats_collection) { + ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, nullptr); +- statsCheck.al = al; +- if (al->reply) { +- statsCheck.reply = al->reply.getRaw(); +- HTTPMSGLOCK(statsCheck.reply); +- } ++ statsCheck.updateAle(al); + updatePerformanceCounters = statsCheck.fastCheck().allowed(); + } + +@@ -3523,12 +3511,8 @@ clientAclChecklistFill(ACLFilledChecklist &checklist, ClientHttpRequest *http) + checklist.setRequest(http->request); + + if (!checklist.al && http->al) { +- checklist.al = http->al; ++ checklist.updateAle(http->al); + checklist.syncAle(http->request, http->log_uri); +- if (!checklist.reply && http->al->reply) { +- checklist.reply = http->al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } + } + + if (const auto conn = http->getConn()) +diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc +index e39ab9b..630600b 100644 +--- a/src/client_side_reply.cc ++++ b/src/client_side_reply.cc +@@ -840,11 +840,9 @@ clientReplyContext::blockedHit() const + if (http->flags.internal) + return false; // internal content "hits" cannot be blocked + +- const auto &rep = http->storeEntry()->mem().freshestReply(); + { + std::unique_ptr chl(clientAclChecklistCreate(Config.accessList.sendHit, http)); +- chl->reply = const_cast(&rep); // ACLChecklist API bug +- HTTPMSGLOCK(chl->reply); ++ chl->updateReply(&http->storeEntry()->mem().freshestReply()); + return !chl->fastCheck().allowed(); // when in doubt, block + } + } +@@ -1850,8 +1848,7 @@ clientReplyContext::processReplyAccess () + /** Process http_reply_access lists */ + ACLFilledChecklist *replyChecklist = + clientAclChecklistCreate(Config.accessList.reply, http); +- replyChecklist->reply = reply; +- HTTPMSGLOCK(replyChecklist->reply); ++ replyChecklist->updateReply(reply); + replyChecklist->nonBlockingCheck(ProcessReplyAccessResult, this); + } + +diff --git a/src/clients/Client.cc b/src/clients/Client.cc +index 7de6274..d799972 100644 +--- a/src/clients/Client.cc ++++ b/src/clients/Client.cc +@@ -555,9 +555,8 @@ Client::blockCaching() + // This relatively expensive check is not in StoreEntry::checkCachable: + // That method lacks HttpRequest and may be called too many times. + ACLFilledChecklist ch(acl, originalRequest().getRaw()); +- ch.reply = const_cast(&entry->mem().freshestReply()); // ACLFilledChecklist API bug +- HTTPMSGLOCK(ch.reply); +- ch.al = fwd->al; ++ ch.updateAle(fwd->al); ++ ch.updateReply(&entry->mem().freshestReply()); + if (!ch.fastCheck().allowed()) { // when in doubt, block + debugs(20, 3, "store_miss prohibits caching"); + return true; +diff --git a/src/http.cc b/src/http.cc +index e3f9b4c..71e65b4 100644 +--- a/src/http.cc ++++ b/src/http.cc +@@ -773,10 +773,9 @@ HttpStateData::handle1xx(HttpReply *reply) + // check whether the 1xx response forwarding is allowed by squid.conf + if (Config.accessList.reply) { + ACLFilledChecklist ch(Config.accessList.reply, originalRequest().getRaw()); +- ch.al = fwd->al; +- ch.reply = reply; ++ ch.updateAle(fwd->al); ++ ch.updateReply(reply); + ch.syncAle(originalRequest().getRaw(), nullptr); +- HTTPMSGLOCK(ch.reply); + if (!ch.fastCheck().allowed()) // TODO: support slow lookups? + return drop1xx("http_reply_access blocked it"); + } +diff --git a/src/http/Stream.cc b/src/http/Stream.cc +index 542c293..c3a1508 100644 +--- a/src/http/Stream.cc ++++ b/src/http/Stream.cc +@@ -294,8 +294,7 @@ Http::Stream::sendStartOfMessage(HttpReply *rep, StoreIOBuffer bodyData) + for (const auto &pool: MessageDelayPools::Instance()->pools) { + if (pool->access) { + std::unique_ptr chl(clientAclChecklistCreate(pool->access, http)); +- chl->reply = rep; +- HTTPMSGLOCK(chl->reply); ++ chl->updateReply(rep); + const auto answer = chl->fastCheck(); + if (answer.allowed()) { + writeQuotaHandler = pool->createBucket(); +diff --git a/src/neighbors.cc b/src/neighbors.cc +index 628b801..d19e398 100644 +--- a/src/neighbors.cc ++++ b/src/neighbors.cc +@@ -170,11 +170,7 @@ peerAllowedToUse(const CachePeer * p, PeerSelector * ps) + return true; + + ACLFilledChecklist checklist(p->access, request, nullptr); +- checklist.al = ps->al; +- if (ps->al && ps->al->reply) { +- checklist.reply = ps->al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(ps->al); + checklist.syncAle(request, nullptr); + return checklist.fastCheck().allowed(); + } +-- +2.44.0 + diff --git a/squid.spec b/squid.spec index 3e20def..4488ff5 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.10 -Release: 13%{?dist} +Release: 14%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -50,6 +50,8 @@ Patch208: squid-6.10-cache-peer-connect-errors.patch Patch209: squid-6.10-provider-keys-digest.patch # https://issues.redhat.com/browse/RHEL-129457 Patch210: squid-6.10-dont-stuck-respmod.patch +# https://redhat.atlassian.net/browse/RHEL-169992 +Patch211: squid-6.10-memleak-http-reply.patch # Security patches # https://bugzilla.redhat.com/show_bug.cgi?id=2404736 @@ -338,6 +340,10 @@ fi %changelog +* Wed Apr 29 2026 Luboš Uhliarik - 7:6.10-14 +- Resolves: RHEL-169992 - Setting "http_reply_access" in squid.conf + causes a memory leak + * Tue Apr 28 2026 Luboš Uhliarik - 7:6.10-13 - Resolves: RHEL-157474 - squid should use systemd-tmpfiles to create directories under /var/