Okay, I've attached a patch that fixes the problem for me. The problem
turned out to be pretty simple: the PostgreSQL code (both backend and
frontend SSL support) was calling SSL_get_peer_certificate() without
properly free'ing its return value.
I haven't actually confirmed the backend memory leak, but it should be
readily reproduceable (the same OpenSSL API call is made and the
return value is never free'd).
Olaf, can you please test the attached patch? (Against CVS HEAD, but
should apply easily enough to 7.4.0) At the very least you'll need to
rebuild libpq and ensure that the test app picks up the new .so, but
testing the backend with the patch applied would also be helpful.
This fix needs to be in 7.4.1, so if anyone wants to review this
patch, that would be great.
-Neil
P.S. I added an assertion in the backend code to help catch any other
memory leaks in this area. I didn't add an equivalent one to the
frontend code, because libpq doesn't seem to be setup for
assertions. When this is applied to 7.4.1, we probably shouldn't
include the assertion at the risk of suffering backend crashes.
Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/libpq/be-secure.c,v
retrieving revision 1.44
diff -c -r1.44 be-secure.c
*** src/backend/libpq/be-secure.c 29 Nov 2003 19:51:49 -0000 1.44
--- src/backend/libpq/be-secure.c 13 Dec 2003 01:09:13 -0000
***************
*** 714,719 ****
--- 714,722 ----
static int
open_server_SSL(Port *port)
{
+ Assert(!port->ssl);
+ Assert(!port->peer);
+
if (!(port->ssl = SSL_new(SSL_context)) ||
!SSL_set_fd(port->ssl, port->sock) ||
SSL_accept(port->ssl) <= 0)
***************
*** 764,769 ****
--- 767,778 ----
SSL_free(port->ssl);
port->ssl = NULL;
}
+
+ if (port->peer)
+ {
+ X509_free(port->peer);
+ port->peer = NULL;
+ }
}
/*
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.33
diff -c -r1.33 fe-secure.c
*** src/interfaces/libpq/fe-secure.c 29 Nov 2003 19:52:12 -0000 1.33
--- src/interfaces/libpq/fe-secure.c 13 Dec 2003 00:57:56 -0000
***************
*** 1004,1009 ****
--- 1004,1015 ----
SSL_free(conn->ssl);
conn->ssl = NULL;
}
+
+ if (conn->peer)
+ {
+ X509_free(conn->peer);
+ conn->peer = NULL;
+ }
}
/*
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
