RDKB-64644: Potential Fix for SE051 ENGINE memory leak in telemetry HTTP pool#360
Merged
Conversation
…TTP pool Reason for change: On HROT platforms using the SE051 secure element (XB10/XER10/SXB10), the e4sss OpenSSL ENGINE accumulates per-session hardware state (APDU session objects, secure channel buffers) across mTLS operations. Unlike SE050 (XB8), the SE051 ENGINE allocates larger per-session state that is not released by curl's connection cache management, OPENSSL_thread_stop, or ERR_clear_error() alone. This causes a progressive memory leak (~5MB baseline increase + ~5MB growth over 10+ days) in the telemetry process. 1) set CURLOPT_FORBID_REUSE=1 so curl closes the TCP+TLS connection after each request. This triggers the natural OpenSSL cleanup path: SSL_CTX_free -> EC_KEY_free -> ENGINE_finish, releasing the hardware session state. 2)Add ERR_clear_error() in both GET and POST xPKI retry loops to drain the OpenSSL error queue between retries, preventing ENGINE-internal error state accumulation. Test Procedure: please refered from the ticket Risks: High Signed-off-by: Thamim Razith <tabbas651@cable.comcast.com>
shibu-kv
approved these changes
May 4, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to mitigate a long-running memory leak observed on HROT platforms using the SE051 OpenSSL ENGINE during repeated mTLS operations in the telemetry HTTP connection pool.
Changes:
- Forces libcurl to close connections after each request by setting
CURLOPT_FORBID_REUSE=1on pooled easy handles. - Clears the OpenSSL per-thread error queue (
ERR_clear_error()) inside the GET/POST xPKI retry loops to avoid error-state accumulation between retries. - Reorders an ownership note comment near the OpenSSL error-queue cleanup in
http_pool_get().
| CURL_SETOPT_CHECK(pool_entries[i].easy_handle, CURLOPT_FORBID_REUSE, 0L); | ||
| //Disable connection reuse (FORBID_REUSE=1) so that | ||
| // curl tears down the TLS session after each request. This causes | ||
| // OpenSSL to call SSL_CTX_free → EC_KEY_free → ENGINE_finish through |
Comment on lines
618
to
630
| // Execute the request and retry incase of certificate related error | ||
| curl_code = curl_easy_perform(easy); | ||
|
|
||
| long http_code; | ||
| curl_easy_getinfo(easy, CURLINFO_RESPONSE_CODE, &http_code); | ||
|
|
||
| if(curl_code != CURLE_OK || http_code != 200) | ||
| { | ||
| T2Error("%s: Failed to establish connection using xPKI certificate: %s, Curl failed : %d\n", __func__, pCertFile, curl_code); | ||
| // Drain OpenSSL error queue between retries to prevent | ||
| // ENGINE-internal error state accumulation (HROT/SE051). | ||
| ERR_clear_error(); | ||
| } |
Contributor
|
Bypassing L2 failures and merging as the test failures are not from these changes. Test failures appear to be due to test docker infrastructure changes from recent release - https://github.com/rdkcentral/docker-device-mgt-service-test/releases/tag/1.7.13 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reason for change: On HROT platforms using the SE051 secure element (XB10/XER10/SXB10), the e4sss OpenSSL ENGINE accumulates per-session hardware state (APDU session objects, secure channel buffers) across mTLS operations. Unlike SE050 (XB8), the SE051 ENGINE allocates larger per-session state that is not released by curl's connection cache management, OPENSSL_thread_stop, or ERR_clear_error() alone. This causes a progressive memory leak (~5MB baseline increase + ~5MB growth over 10+ days) in the telemetry process.
TCP+TLS connection after each request. This triggers the natural OpenSSL cleanup path: SSL_CTX_free -> EC_KEY_free -> ENGINE_finish, releasing the hardware session state.
2)Add ERR_clear_error() in both GET and POST xPKI retry loops to drain the OpenSSL error queue between retries, preventing ENGINE-internal error state accumulation. Test Procedure: please refered from the ticket
Risks: High
Signed-off-by: Thamim Razith tabbas651@cable.comcast.com