[Bug 3189] New: channel mux_ctx memory leak

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jul 1 08:01:22 AEST 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

            Bug ID: 3189
           Summary: channel mux_ctx memory leak
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sergiy.lozovsky at gmail.com

mux_ctx is allocated at mux_master_read_cb() but not freed.
This can cause ssh process memory leak when multiplexing is used.

Steps to reproduce:

- Create ControlMaster

    $ ./ssh -o ControlPath=~/.ssh/mux -o ControlMaster=yes -N -n
localhost

- Use multiplexing

    $ while true; do ./ssh -o ControlPath=~/.ssh/mux localhost true;
done

- Watch RSS of ssh process

[eiichi at build-c7 ~]$ LANG=C pidstat -r -p 62937 10 60
Linux 3.10.0-1062.9.1.el7.x86_64 (build-c7)     05/21/20       
_x86_64_        (8 CPU)

08:20:50          PID  minflt/s  majflt/s     VSZ    RSS   %MEM 
Command
08:21:00        62937      0.40      0.00  128032   2920   0.04  ssh
08:21:10        62937      0.30      0.00  128164   2920   0.04  ssh
08:21:20        62937      0.40      0.00  128164   2920   0.04  ssh
08:21:30        62937      0.50      0.00  128164   2920   0.04  ssh
08:21:40        62937      0.40      0.00  128164   2920   0.04  ssh
08:21:50        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:00        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:10        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:20        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:30        62937      0.40      0.00  128292   3068   0.04  ssh
08:22:40        62937      0.30      0.00  128292   3068   0.04  ssh
08:22:50        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:00        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:10        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:20        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:30        62937      0.30      0.00  128292   3068   0.04  ssh
08:23:40        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:50        62937      0.40      0.00  128292   3068   0.04  ssh
08:24:00        62937      0.40      0.00  128420   3196   0.04  ssh
08:24:10        62937      0.40      0.00  128420   3196   0.04  ssh
08:24:20        62937      0.40      0.00  128420   3196   0.04  ssh


Fix:

diff --git a/channels.c b/channels.c
index 95a51e2..74b3cec 100644
--- a/channels.c
+++ b/channels.c
@@ -621,6 +621,8 @@ channel_free(struct ssh *ssh, Channel *c)
        c->path = NULL;
        free(c->listening_addr);
        c->listening_addr = NULL;
+       free(c->mux_ctx);
+       c->mux_ctx = NULL;
        while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
                if (cc->abandon_cb != NULL)
                        cc->abandon_cb(ssh, c, cc->ctx);

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list