Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: Server.ListenAndServeTLS() leaks TCP sockets on invalid cert or key #23002

Closed
theckman opened this issue Dec 5, 2017 · 3 comments
Closed

net/http: Server.ListenAndServeTLS() leaks TCP sockets on invalid cert or key #23002

theckman opened this issue Dec 5, 2017 · 3 comments
Labels
FrozenDueToAge NeedsFix

Comments

@theckman
Copy link
Contributor

@theckman theckman commented Dec 5, 2017

What version of Go are you using (go version)?

go version go1.9.2 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/theckman/go/"
GORACE=""
GOROOT="/Users/theckman/.gimme/versions/go1.9.2.darwin.amd64"
GOTOOLDIR="/Users/theckman/.gimme/versions/go1.9.2.darwin.amd64/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/f5/zjcsdkrx2bxdm32zzqfg5yp80000gn/T/go-build826228057=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

What did you expect to see?

I expected the TCP socket opened by http.ListenAndServeTLS() to be closed before control was returned back to the caller.

What did you see instead?

The TCP socket was left in an open state.

If http.Server.ListenAndServeTLS() is called with either an invalid certificate or key, the function leaks the TCP socket that was opened for the server. This is because the method doesn't close the net.Listener before returning.

This is a side-effect of a difference in behaviors between http.Server.Serve() and http.Server.ServeTLS(). The non-TLS method defers a call to l.Close() to close the TCP socket before returning, the TLS version does not have this behavior implemented.

I'm not sure if the TLS method having different behavior is intentional, so I think there are two potential fixes:

  • Modify http.Server.ServeTLS() to defer a call to l.Close().
  • Avoid making behavioral changes to http.Server.ServeTLS() and instead do the defer in ListenAndServeTLS() where the TCP socket is created.
@theckman

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

@theckman theckman commented Dec 5, 2017

I'm happy to try and submit a CL for this issue.
@bradfitz bradfitz added the NeedsFix label Dec 5, 2017
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Contributor

@bradfitz bradfitz commented Dec 5, 2017

@theckman, go for it. Thanks.
@gopherbot

This comment has been minimized.

Sign in to view
Copy link

@gopherbot gopherbot commented Dec 5, 2017

Change https://golang.org/cl/81955 mentions this issue: net/http: defer closing TCP socket in Server.ListenAndServeTLS()
@gopherbot gopherbot closed this in a3c1a86 Dec 5, 2017
@golang golang locked and limited conversation to collaborators Dec 5, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@theckman @bradfitz @gopherbot
You can’t perform that action at this time.