[squid-users] Squid Kerberos helper leaking memory - OpenBSD 6.3

Silamael silamael at coronamundi.de
Tue Sep 4 15:22:10 UTC 2018


On 09/04/2018 03:51 PM, Amos Jeffries wrote:
> On 5/09/18 1:24 AM, Silamael wrote:
>> Hello,
>>
>> I'm currently investigating a memory leak in with the Kerberos negotiate
>> authentication helper in Squid 3.5.27 under OpenBSD 6.3. It's a own port
>> with added Kerberos support since OpenBSD's port does not support
>> Kerberos at all.
>>
>> As library Heimdal 7.5.0 is used. So far I had no luck in finding the
>> memory leak itself.
> 
> Have you tried valgrind and either GCC or clang static analysis features
> on your helper and/or library?

valgrind doesn't seem to work properly on OpenBSD. I get a bunch of 
nonsense output and then a segmentation fault...
What are the GCC/clang statistic features? I'm no C/C++ pro ;)

>>
>> Would it be safe for Squid, to patch the helper code so that it does a
>> clean exit after every X processed requests?
>>
>> Or will this bring new problems on Squid's side?
>>
> 
> Should be okay so long as the helpers do reply to at least some queries,
> and do not exit all at once.
> 
> Squid-3.5 will log errors about helpers exiting unexpectedly, but should
> only die if the helpers did so on their startup or many are dying within
> a shifting 30sec window of time.
At moment a helper will call exit(0) after 10000 requests. Don't know, 
how Squid distributes the requests over all helper processes and if we 
have too many helpers exiting within 30 seconds...
But good to know that there aren't any general objections.

> 
> Squid-4 can use the auth_param on-persistent-overload=ERR option to
> prevent even the death cases above.

Good to know.

-- Matthias


More information about the squid-users mailing list