Skip to content

Fix memory leaks in SSL subsystem#13026

Open
bryancall wants to merge 3 commits intoapache:masterfrom
bryancall:fix/ssl-memory-leaks
Open

Fix memory leaks in SSL subsystem#13026
bryancall wants to merge 3 commits intoapache:masterfrom
bryancall:fix/ssl-memory-leaks

Conversation

@bryancall
Copy link
Copy Markdown
Contributor

@bryancall bryancall commented Mar 27, 2026
edited
Loading

Summary

  • Fix memory leak in SSLOriginSessionCache destructor — drain queued session nodes and clear the map
  • Fix leaks in SSLConfigParams::initialize — delete old origin_sess_cache before re-allocating, free old ssl_ocsp_user_agent before overwrite
  • Fix BIO cleanup — clear BIO_FLAGS_MEM_RDONLY before BIO_free so internal BUF_MEM structures are properly released

Found via ASAN-enabled autest runs on Fedora 43.

Test plan

  • Built with ENABLE_ASAN=ON and ran full autest suite — no new LSAN reports for these symbols
  • CI

@bryancall
Fix memory leaks in SSLConfig: BIO, session cache,
2afa9de 
ocsp_user_agent

Fix three leak categories in SSLConfig:
- Clear BIO_FLAGS_MEM_RDONLY before BIO_free so internal
  BUF_MEM structures are properly released
- Delete existing session_cache/origin_sess_cache before
  allocating new ones in initialize()
- Free ssl_ocsp_user_agent before overwriting with new value
@bryancall
Fix memory leak in SSLOriginSessionCache destructor
f792099 
The destructor was empty, leaking all SSLOriginSession
objects still held in the CountQueue and map when the
cache was destroyed. Pop and delete every queued node
before the map is implicitly destroyed.
@bryancall bryancall added this to the 11.0.0 milestone Mar 27, 2026
@bryancall bryancall added Bug ASan Address Sanitizer labels Mar 27, 2026
@bryancall bryancall self-assigned this Mar 27, 2026
bryancall

This comment was marked as off-topic.

Sign in to view

@bryancall bryancall requested a review from Copilot March 27, 2026 04:57
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR targets LSAN/ASAN-reported memory leaks in the TLS/SSL subsystem by ensuring cached session objects, config-owned strings, and OpenSSL BIO internals are properly released during teardown and reload.

Changes:

  • Drain and delete queued origin TLS session cache nodes during SSLOriginSessionCache destruction.
  • Free/recreate origin_sess_cache on SSL config reload, and free ssl_ocsp_user_agent before overwriting it.
  • Adjust BIO cleanup to clear BIO_FLAGS_MEM_RDONLY before freeing.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/iocore/net/SSLSessionCache.cc Implements destructor cleanup for origin session cache nodes/map.
src/iocore/net/SSLConfig.cc Frees/recreates origin session cache on reload, frees OCSP UA string before overwrite, updates BIO cleanup.

@bryancall
Allocate origin session cache once instead of delete/new on reload Th…
2003438 
…e cache self-sizes on insert via the static origin_session_cache_size, so recreating it is unnecessary and unsafe (concurrent TLS handshakes hold bare pointers to the global). Allocate once; let entries age out naturally when the configured size shrinks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@bryancall bryancall

Labels

ASan Address Sanitizer Bug

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@bryancall