From b8b463159d9bcb05505ec128b5c2926ace0b3e92 Mon Sep 17 00:00:00 2001

From: Quentin Armitage <quentin@armitage.org.uk>

Date: Thu, 13 Oct 2022 08:32:17 +0100

Subject: [PATCH] ipvs: Work around OpenSSL memory leak in versions 3.0.0 to

 3.0.4

The memory leak was observed with OpenSSL 3.0.1, and it is resolved

by version 3.0.5. Also the leak is not observed in v1.1.1n.

Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>

---

 keepalived/check/check_ssl.c | 20 +++++++++++++++++++-

 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c

index 917ac0d7..50efa824 100644

--- a/keepalived/check/check_ssl.c

+++ b/keepalived/check/check_ssl.c

@@ -229,7 +229,25 @@ ssl_connect(thread_ref_t thread, int new_req)

 		BIO_get_fd(req->bio, &bio_fd);

 		if (fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC) == -1)

 			log_message(LOG_INFO, "Setting CLOEXEC failed on ssl socket - errno %d", errno);

-#ifdef HAVE_SSL_SET0_RBIO

+

+		/* There is a memory leak in openSSL at least in version 3.0.1, which is fixed

+		 * by version 3.0.5. It was not present in version 1.1.1n. Since I haven't been

+		 * able to identify the OpenSSL patch that resolved the leak, we play safe and

+		 * assume it is in versions 3.0.0 up to 3.0.4.

+		 * The leak is memory allocated by

+		 *   p = OPENSSL_malloc(len);

+		 * in ssl3_setup_write_buffer() in ssl/record/ssl_buffer.c

+		 *

+		 * It appears that setting SSL_MODE_RELEASE_BUFFERS causes the memory leak not

+		 * to occur.

+		 */

+#ifdef OPENSSL_VERSION_MAJOR

+#if OPENSSL_VERSION_MAJOR == 3 && OPENSSL_VERSION_MINOR == 0 && OPENSSL_VERSION_PATCH <= 4

+		SSL_set_mode(req->ssl, SSL_MODE_RELEASE_BUFFERS);

+#endif

+#endif

+

+#if defined HAVE_SSL_SET0_RBIO && defined HAVE_SSL_SET0_WBIO

 		BIO_up_ref(req->bio);

 		SSL_set0_rbio(req->ssl, req->bio);

 		SSL_set0_wbio(req->ssl, req->bio);

-- 

2.38.1