From: Olivier Houchard Date: Wed, 15 Jul 2026 16:01:46 +0000 (+0200) Subject: BUG/MEDIUM: ssl-gencert: Don't forget to free memory when done X-Git-Url: http://git.kaiwu.me/http/doc/$%7BGITURL%7D/$%7BGITURL%7D$%7Bcid%7D?a=commitdiff_plain;h=HEAD;p=haproxy.git BUG/MEDIUM: ssl-gencert: Don't forget to free memory when done In ssl_sock_do_create_cert(), don't forget to free ctmp and tmp_ssl once we're done creating the certificate, otherwise we will get a memory leak each time we have to create a new certificate, which will happen each time a new SNI is used. This should be backported as far as 2.6 (though on older releases, ssl_gencert.c doesn't exist, and that function is found in ssl_sock.c). This patch was submitted by Red Hat and AISLE Research --- diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index c201e0c7b..7dafaa053 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -299,6 +299,8 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf #endif /* defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) */ #endif /* HA_OPENSSL_VERSION_NUMBER >= 0x10101000L */ end: + if (ctmp) NCONF_free(ctmp); + if (tmp_ssl) SSL_free(tmp_ssl); return ssl_ctx; mkcert_error: