user/5073: httpd/ssl leaks file descriptors

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

user/5073: httpd/ssl leaks file descriptors

Darrin Chandler-3
>Number:         5073
>Category:       user
>Synopsis:       httpd/ssl leaks file descriptors
>Confidential:   yes
>Severity:       non-critical
>Priority:       low
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 10 16:40:02 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Darrin Chandler
>Release:        OPENBSD_3_8
>Organization:
net
>Environment:
        System      : OpenBSD 3.8-stable
        Architecture: any
        Machine     : any
>Description:
        httpd w/ssl leaks file descriptors when a session is not found
        in the scache dbm (new or expired session). Eventually httpd will
        give "Access denied / too many open files" errors to clients.
>How-To-Repeat:
        Browse any https page with a refresh of 300+ seconds (mrtg, etc.)
        and use 'fstat /var/www/logs/ssl_scache.db' and watch it grow over
        time.
>Fix:
When the file is open then close it before returning!

I test this patch against 3.8-stable on i386 and sparc64. I have not tested
with current but the patch applies clean (with -5 offset.)

--- ssl_scache_dbm.c    Sun Feb 13 08:14:56 2005
+++ ssl_scache_dbm.c.new        Sun Apr  9 09:17:47 2006
@@ -235,14 +235,18 @@
     ssl_mutex_off(s);
 
     /* immediately return if not found */
-    if (dbmval.dptr == NULL || dbmval.dsize <= sizeof(time_t))
+    if (dbmval.dptr == NULL || dbmval.dsize <= sizeof(time_t)) {
+        ssl_dbm_close(dbm);
         return NULL;
+    }
 
     /* parse resulting data */
     nData = dbmval.dsize-sizeof(time_t);
     ucpData = (UCHAR *)malloc(nData);
-    if (ucpData == NULL)
+    if (ucpData == NULL) {
+        ssl_dbm_close(dbm);
         return NULL;
+    }
     memcpy(ucpData, (char *)dbmval.dptr+sizeof(time_t), nData);
     memcpy(&expiry, dbmval.dptr, sizeof(time_t));


>Release-Note:
>Audit-Trail:
>Unformatted: