Skip to content

Fix native memory leak on OCSP_Response #96561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rzikm merged 1 commit into from
Jan 6, 2024
Merged

Fix native memory leak on OCSP_Response #96561

rzikm merged 1 commit into from
Jan 6, 2024

Conversation

@rzikm
Copy link
Member

@rzikm rzikm commented Jan 5, 2024
edited
Loading

Fixes #96616.

This PR makes sure we parse OCSP_Response only once per certificate. This fixes a leak when CryptoNative_SslGetPeerCertificate is called multiple times to retrieve the same certificate, as previously the already parsed OCSP_RESPONSE in X509 instance would be simply overwritten without freeing it.

We did not hit this before because the implementation generally retrieves the peer's certificate only once, but during renegotiation, we may ask for it multiple times.

@ghost ghost added the area-System.Security label Jan 5, 2024
@rzikm rzikm requested a review from bartonjs January 5, 2024 16:18
@ghost ghost assigned rzikm Jan 5, 2024
@ghost
Copy link

ghost commented Jan 5, 2024

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

This PR makes sure we parse OCSP_Response only once per certificate. This fixes a leak when CryptoNative_SslGetPeerCertificate is called multiple times to retrieve the same certificate, as previously the already parsed OCSP_RESPONSE in X509 instance would be simply overwritten without freeing it.

We did not hit this before because the implementation generally retrieves the peer's certificate only once, but during renegotiation, we may ask for it multiple times.

Author: rzikm
Assignees: -
Labels:

area-System.Security
Milestone: -

@ghost
Copy link

ghost commented Jan 5, 2024

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

This PR makes sure we parse OCSP_Response only once per certificate. This fixes a leak when CryptoNative_SslGetPeerCertificate is called multiple times to retrieve the same certificate, as previously the already parsed OCSP_RESPONSE in X509 instance would be simply overwritten without freeing it.

We did not hit this before because the implementation generally retrieves the peer's certificate only once, but during renegotiation, we may ask for it multiple times.

Author: rzikm
Assignees: rzikm
Labels:

area-System.Net.Security, area-System.Security
Milestone: -

@rzikm rzikm requested a review from wfurt January 5, 2024 16:24
@build-analysis build-analysis bot mentioned this pull request Jan 5, 2024
Open
2 tasks
@build-analysis build-analysis bot mentioned this pull request Jan 5, 2024
Closed
@janvorli janvorli mentioned this pull request Jan 5, 2024
Closed
wfurt
wfurt approved these changes Jan 6, 2024
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rzikm
Copy link
Member Author

rzikm commented Jan 6, 2024

All CI failures are Known Build Errors.

@rzikm rzikm merged commit 3e8f588 into dotnet:main Jan 6, 2024
@rzikm
Copy link
Member Author

rzikm commented Jan 6, 2024

/backport to release/8.0-staging

@rzikm
Copy link
Member Author

rzikm commented Jan 6, 2024

/backport to release/7.0-staging

@github-actions
Copy link
Contributor

github-actions bot commented Jan 6, 2024

Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/7431377625

@github-actions
Copy link
Contributor

github-actions bot commented Jan 6, 2024

Started backporting to release/7.0-staging: https://github.com/dotnet/runtime/actions/runs/7431377941

This was referenced Jan 6, 2024
Merged
Merged
@karelz karelz added this to the 9.0.0 milestone Jan 8, 2024
@Leonardo-Ferreira
Copy link

Leonardo-Ferreira commented Jan 9, 2024

Any ideas of when will this be available at the docker images?

@wfurt
Copy link
Member

wfurt commented Jan 9, 2024

February if we get it approved in next few days. Likely month later otherwise as part of regular servicing cadence.

@github-actions github-actions bot locked and limited conversation to collaborators Feb 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@vcsjones vcsjones vcsjones left review comments

@bartonjs bartonjs bartonjs approved these changes

@wfurt wfurt wfurt approved these changes

Assignees

@rzikm rzikm

Labels

area-System.Net.Security

Projects

None yet

Milestone

9.0.0

Development

Successfully merging this pull request may close these issues.

Native memory leak on TLS client reading OCSP staple.

6 participants

@rzikm @Leonardo-Ferreira @wfurt @vcsjones @bartonjs @karelz