php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36480 OpenSSL Memory Leaks
Submitted: 2006-02-21 18:07 UTC Modified: 2006-06-03 01:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: polone at townnews dot com Assigned:
Status: No Feedback Package: OpenSSL related
PHP Version: 4.4.2 OS: RedHat FC4
Private report: No CVE-ID: None
 [2006-02-21 18:07 UTC] polone at townnews dot com
Description:
------------
The OpenSSL extension in PHP leaks memory. Using valgrind, I was able to determine that there is a consistent leak of about 20K. There are two leaks, one is the result of calling SSL_get_ex_new_index() during MINIT which doesn't supply any mechanism for free_func (according to the prototype). The other leak, which accounts for about 19K, is from loading error strings but not calling the relevant free() function.

Another problem was noticed in network.c. There is a call to SSL_CTX_new(), but no corresponding SSL_CTX_free() when the socket is closed. Because the pointer for ctx is localized, the original pointer is lost - using SSL_get_SSL_CTX() allows you to retrieve the context and free it properly before call SSL_free() during socket close.

I've included a patch which corrects two of the issues:

diff -Naur php-4.4.2/ext/openssl/openssl.c php-fixed/ext/openssl/openssl.c
--- php-4.4.2/ext/openssl/openssl.c     2006-01-01 07:46:55.000000000 -0600
+++ php-4.4.2/ext/openssl/openssl.c     2006-02-21 10:45:32.000000000 -0600
@@ -651,6 +651,7 @@
  */
 PHP_MSHUTDOWN_FUNCTION(openssl)
 {
+ ERR_free_strings();
  EVP_cleanup();
  return SUCCESS;
 }
diff -Naur php-4.4.2/main/network.c php-fixed/main/network.c
--- php-4.4.2/main/network.c  2006-01-01 07:46:59.000000000 -0600
+++ php-4.4.2/main/network.c  2006-02-21 10:45:27.000000000 -0600
@@ -1091,11 +1091,14 @@

  if (close_handle) {
 #ifdef HAVE_OPENSSL_EXT
+
     if (sock->ssl_active) {
        SSL_shutdown(sock->ssl_handle);
        sock->ssl_active = 0;
     }
     if (sock->ssl_handle) {
+       SSL_CTX *ctx = SSL_get_SSL_CTX(sock->ssl_handle);
+       SSL_CTX_free(ctx);
        SSL_free(sock->ssl_handle);
        sock->ssl_handle = NULL;
     }


Reproduce code:
---------------
<?php

readfile("https://secure.townnews.com/");

?>

Expected result:
----------------
No memory leaks.

Actual result:
--------------
==2610==
==2610== ERROR SUMMARY: 8076 errors from 411 contexts (suppressed: 0 from 0)
==2610== malloc/free: in use at exit: 25,224 bytes in 1,608 blocks.
==2610== malloc/free: 7,727 allocs, 6,119 frees, 555,906 bytes allocated.
==2610== For counts of detected errors, rerun with: -v
==2610== searching for pointers to 1,608 not-freed blocks.
==2610== checked 607,512 bytes.
==2610==
==2610==
==2610== 28 bytes in 1 blocks are possibly lost in loss record 1 of 6
==2610==    at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610==    by 0x441DED4: strdup (in /lib/libc-2.3.5.so)
==2610==    by 0x8153FD5: (within /usr/bin/php)
==2610==    by 0x8155BB5: php_module_startup (in /usr/bin/php)
==2610==    by 0x819F4A9: main (in /usr/bin/php)
==2610==
==2610==
==2610== 1,220 (248 direct, 972 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 6
==2610==    at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610==    by 0x4221B69: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x4222110: CRYPTO_malloc (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x41DF1D9: SSL_CTX_new (in /lib/libssl.so.0.9.7f)
==2610==    by 0x81668C3: php_stream_sock_ssl_activate_with_method (in /usr/bin/php)
==2610==    by 0x8119CDD: php_stream_url_wrap_http_ex (in /usr/bin/php)
==2610==    by 0x811B51F: php_stream_url_wrap_http (in /usr/bin/php)
==2610==    by 0x81656FB: _php_stream_open_wrapper_ex (in /usr/bin/php)
==2610==    by 0x80E0FF0: zif_readfile (in /usr/bin/php)
==2610==    by 0x8198E71: execute (in /usr/bin/php)
==2610==    by 0x8186581: zend_execute_scripts (in /usr/bin/php)
==2610==    by 0x8156BE1: php_execute_script (in /usr/bin/php)
==2610==
==2610==
==2610== 460 bytes in 12 blocks are indirectly lost in loss record 3 of 6
==2610==    at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610==    by 0x4221B69: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x4222110: CRYPTO_malloc (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x41E0172: ssl_cert_new (in /lib/libssl.so.0.9.7f)
==2610==    by 0x41DF2D0: SSL_CTX_new (in /lib/libssl.so.0.9.7f)
==2610==    by 0x81668C3: php_stream_sock_ssl_activate_with_method (in /usr/bin/php)
==2610==    by 0x8119CDD: php_stream_url_wrap_http_ex (in /usr/bin/php)
==2610==    by 0x811B51F: php_stream_url_wrap_http (in /usr/bin/php)
==2610==    by 0x81656FB: _php_stream_open_wrapper_ex (in /usr/bin/php)
==2610==    by 0x80E0FF0: zif_readfile (in /usr/bin/php)
==2610==    by 0x8198E71: execute (in /usr/bin/php)
==2610==    by 0x8186581: zend_execute_scripts (in /usr/bin/php)
==2610==
==2610==
==2610== 512 bytes in 2 blocks are indirectly lost in loss record 4 of 6
==2610==    at 0x40212ED: realloc (vg_replace_malloc.c:306)
==2610==    by 0x4221B94: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x42221E3: CRYPTO_realloc (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426C6AF: sk_insert (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426C7B9: sk_push (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x41E2172: ssl_create_cipher_list (in /lib/libssl.so.0.9.7f)
==2610==    by 0x41DF348: SSL_CTX_new (in /lib/libssl.so.0.9.7f)
==2610==    by 0x81668C3: php_stream_sock_ssl_activate_with_method (in /usr/bin/php)
==2610==    by 0x8119CDD: php_stream_url_wrap_http_ex (in /usr/bin/php)
==2610==    by 0x811B51F: php_stream_url_wrap_http (in /usr/bin/php)
==2610==    by 0x81656FB: _php_stream_open_wrapper_ex (in /usr/bin/php)
==2610==    by 0x80E0FF0: zif_readfile (in /usr/bin/php)
==2610==
==2610==
==2610== 4,096 bytes in 1 blocks are still reachable in loss record 5 of 6
==2610==    at 0x40212ED: realloc (vg_replace_malloc.c:306)
==2610==    by 0x4221B94: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x42221E3: CRYPTO_realloc (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426D084: lh_insert (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426F283: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426F7E5: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x428DC59: ERR_load_ASN1_strings (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x427064E: ERR_load_crypto_strings (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x806AFA1: zm_startup_openssl (in /usr/bin/php)
==2610==    by 0x818898F: zend_startup_module (in /usr/bin/php)
==2610==    by 0x815569E: php_startup_extensions (in /usr/bin/php)
==2610==    by 0x81A02A4: php_startup_internal_extensions (in /usr/bin/php)
==2610==
==2610==
==2610== 19,880 bytes in 1,591 blocks are still reachable in loss record 6 of 6
==2610==    at 0x40211F9: malloc (vg_replace_malloc.c:149)
==2610==    by 0x4221B69: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x4222110: CRYPTO_malloc (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426CAFF: lh_new (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426F0CD: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426F243: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426F7E5: (within /lib/libcrypto.so.0.9.7f)
==2610==    by 0x426F81E: ERR_load_ERR_strings (in /lib/libcrypto.so.0.9.7f)
==2610==    by 0x806AF97: zm_startup_openssl (in /usr/bin/php)
==2610==    by 0x818898F: zend_startup_module (in /usr/bin/php)
==2610==    by 0x815569E: php_startup_extensions (in /usr/bin/php)
==2610==    by 0x81A02A4: php_startup_internal_extensions (in /usr/bin/php)
==2610==
==2610== LEAK SUMMARY:
==2610==    definitely lost: 248 bytes in 1 blocks.
==2610==    indirectly lost: 972 bytes in 14 blocks.
==2610==      possibly lost: 28 bytes in 1 blocks.
==2610==    still reachable: 23,976 bytes in 1,592 blocks.
==2610==         suppressed: 0 bytes in 0 blocks.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-04-11 00:27 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2006-04-18 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2006-05-26 14:52 UTC] polone at townnews dot com
You didn't provide a snap of the latest 4.4.x branch - which is where the bug was reported. I'm not using version 5.
 [2006-05-26 15:02 UTC] pajoye@php.net
Got to http://snaps.php.net/ and fetch it.
 [2006-06-03 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC