From patchwork Thu Dec 3 04:49:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 1536 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id YMYAAXMJyV/CfwAAqwncew (envelope-from ) for ; Thu, 03 Dec 2020 10:51:15 -0500 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director13.mail.ord1d.rsapps.net with LMTP id wAveAHMJyV/cdAAA91zNiA (envelope-from ) for ; Thu, 03 Dec 2020 10:51:15 -0500 Received: from smtp6.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTPS id OIyrNXIJyV+XMgAAvUvv+w (envelope-from ) for ; Thu, 03 Dec 2020 10:51:14 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=fail (p=none; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: 5edb32b0-357f-11eb-b226-5254000d607e-1-1 Received: from [216.105.38.7] ([216.105.38.7:46398] helo=lists.sourceforge.net) by smtp6.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0A/67-20288-17909CF5; Thu, 03 Dec 2020 10:51:14 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kkqsI-0006OC-TW; Thu, 03 Dec 2020 15:50:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kkqs5-0006KA-Mh for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=JW0wwNFHlSId6TGEA0Dd26DtTV mK97j6NcSvZYtV5NNFxfdPoWsGTRdMAA9kvon643uv7y0CBJTBMj59cCPexE+yicYmcA+cUiTR355 WCQ53ek4rRCxTQusl4gQdUneUUhEdU6tE3ftz9lxMcCwxIANBVcqp3hzgmzSvdbOrvK8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=T 4l2bV0BIC9lcevK+8T7p4gKzg/ud2hOYGTSuNGAdJ2SCzJxUyu9RF8osH9qx+HEbmzAP0uARmpe97 XrSPfuFV+GEYPoYgjqcwDRkWE4YmsCj7MZJ+5ALXyPcvQr02BSn5neP/jaPCJhFQLaaAdbvgYplxu xJnYisFIjhUK9dp0=; Received: from mail-ed1-f68.google.com ([209.85.208.68]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1kkqry-000OKf-VC for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:16 +0000 Received: by mail-ed1-f68.google.com with SMTP id b2so2600231edm.3 for ; Thu, 03 Dec 2020 07:50:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=A6uIyM57+BM9irxktHStfGngDbeJJdu+Jw5E+I1+i8Zq2wBQvTw8ZBz6m4meXVvNX8 M8jfkcAA7nHmnwWQuD6GUILyYNpjoWH2GWgOkbozw+S8P136kzsK+5WzA6WHVWxudEVF kTq4zYeCj4jdNIbRFfjNCSw7o9Bs700JFW7ZHq/AB8x+KYbMME5ym7gpvvEaRyco+2RC RKDi3+DxrWDF8/leSYVVJ5J9m+UENadnm/KZoJJ99bxNuK9YrfmLv96yIXq7M9zgT7IB fJjN7dUvni1b1nfdSN8GKWRDUI0XPMbyqp8AY8XwP7f1+q/njeopbn3w2qvx9wKl2yFf IoeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=Py9EucUYnueeg8JwrIZTevdMGogFhfKtiX56XupbPKcOy21JIRT/xsQlGJSUKhtxpR rQNBhPbM24WOvOojVhTbc17MtXKqVfUzN2YOmmIT0YUpSyu2x0ZNIjYZv+FivR7VA6Ls 3vO1QWHTqdWsMwDuN14HaMsOK+KYS1d5egOSbP2WVaUfYlwiyDXkehf/v4SCmTIw0dIV 3jjv7ifxuXM5gEH0lj3WL5+ab5r2ZXkE5mB1LswIEygjgs4nkbKrcAkOIVnLDy3taSDT GqgK/r4aSCKQenlRLn0+ZlcFNExkodFcoInDwbT74nzoq+yV4FmFAWsZEsBWsjqq7pLM wd4A== X-Gm-Message-State: AOAM530viQFrKl5EvBCrs0Y+ws/GQWlC3THvtr2w6snHRclqMUGMQudC HtLJMefnHDbMGmZquc2yK3d2DVzM3bntyw== X-Google-Smtp-Source: ABdhPJyrPpYXcQGO9agtYOm1mqVlJ/ZKcZv+axd+F6hXmMrkBsTMYQ91FN8ZEtwYgy+p90gFQnN1aQ== X-Received: by 2002:aa7:d711:: with SMTP id t17mr3306823edq.83.1607010604248; Thu, 03 Dec 2020 07:50:04 -0800 (PST) Received: from luna.fritz.box ([2001:985:e54:1:addf:3ca8:fb50:a5dc]) by smtp.gmail.com with ESMTPSA id k21sm325056ejv.80.2020.12.03.07.50.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Dec 2020 07:50:03 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Thu, 3 Dec 2020 16:49:50 +0100 Message-Id: <20201203154951.29382-1-steffan@karger.me> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.68 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.68 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1kkqry-000OKf-VC Subject: [Openvpn-devel] [PATCH 1/2] tls-crypt-v2: fix server memory leak X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox tls-crypt-v2 was developed in parallel with the changes that allowed to use tls-auth/tls-crypt in connection blocks. The tls-crypt-v2 patch set was never updated to the new reality after commit 5817b49b, causing a memory leak of about 600 bytes for each connecting client. It would be nicer to not reload the tls-crypt-v2 server key for each connecting client, but that requires more refactoring (and thus more time to get right). So for now just plug the leak by free'ing the memory when we close a client connection. To test this easily, compile openvpn with -fsanity=address, run a server with tls-crypt-v2, connect a client, stop the server. Signed-off-by: Steffan Karger --- src/openvpn/init.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 27a4170d..5cde8a4b 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3619,6 +3619,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) * always free the tls_auth/crypt key. If persist_key is true, the key will * be reloaded from memory (pre-cached) */ + free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); free_key_ctx_bi(&c->c1.ks.tls_wrap_key); CLEAR(c->c1.ks.tls_wrap_key); buf_clear(&c->c1.ks.tls_crypt_v2_wkc);