[nginx] Upstream: plugged potential memory leak on reload.

Maxim Dounin mdounin at mdounin.ru
Fri Apr 18 16:33:38 UTC 2014 

details:   http://hg.nginx.org/nginx/rev/3fb6615bb87f
branches:  
changeset: 5659:3fb6615bb87f
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Fri Apr 18 20:13:24 2014 +0400
description:
Upstream: plugged potential memory leak on reload.

The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.

diffstat:

 src/http/modules/ngx_http_proxy_module.c |  16 ++++++++--------
 src/http/modules/ngx_http_uwsgi_module.c |  16 ++++++++--------
 2 files changed, 16 insertions(+), 16 deletions(-)

diffs (66 lines):

diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -3774,6 +3774,14 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
+    cln = ngx_pool_cleanup_add(cf->pool, 0);
+    if (cln == NULL) {
+        return NGX_ERROR;
+    }
+
+    cln->handler = ngx_ssl_cleanup_ctx;
+    cln->data = plcf->upstream.ssl;
+
     if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
                                 (const char *) plcf->ssl_ciphers.data)
         == 0)
@@ -3784,14 +3792,6 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
-    cln = ngx_pool_cleanup_add(cf->pool, 0);
-    if (cln == NULL) {
-        return NGX_ERROR;
-    }
-
-    cln->handler = ngx_ssl_cleanup_ctx;
-    cln->data = plcf->upstream.ssl;
-
     return NGX_OK;
 }
 
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2012,6 +2012,14 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
+    cln = ngx_pool_cleanup_add(cf->pool, 0);
+    if (cln == NULL) {
+        return NGX_ERROR;
+    }
+
+    cln->handler = ngx_ssl_cleanup_ctx;
+    cln->data = uwcf->upstream.ssl;
+
     if (SSL_CTX_set_cipher_list(uwcf->upstream.ssl->ctx,
                                 (const char *) uwcf->ssl_ciphers.data)
         == 0)
@@ -2022,14 +2030,6 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
-    cln = ngx_pool_cleanup_add(cf->pool, 0);
-    if (cln == NULL) {
-        return NGX_ERROR;
-    }
-
-    cln->handler = ngx_ssl_cleanup_ctx;
-    cln->data = uwcf->upstream.ssl;
-
     return NGX_OK;
 }

More information about the nginx-devel mailing list