Clean-up all memory on deinitialization of sec-mod and worker.

That will allow to easier spot any unintentional memory leaks.

src/config.c

@@ -630,76 +630,80 @@ int cmd_parser (void *pool, int argc, char **argv, struct cfg_st** config)
 }
 
 #define DEL(x) {talloc_free(x);x=NULL;}
-void clear_cfg_file(struct cfg_st** config)
+void clear_cfg_file(struct cfg_st* config)
 {
 unsigned i;
 
 #ifdef ANYCONNECT_CLIENT_COMPAT
-	DEL((*config)->xml_config_file);
-	DEL((*config)->xml_config_hash);
-	DEL((*config)->cert_hash);
+	DEL(config->xml_config_file);
+	DEL(config->xml_config_hash);
+	DEL(config->cert_hash);
 #endif
-	DEL((*config)->cgroup);
-	DEL((*config)->route_add_cmd);
-	DEL((*config)->route_del_cmd);
-	DEL((*config)->per_user_dir);
-	DEL((*config)->per_group_dir);
-	DEL((*config)->socket_file_prefix);
-	DEL((*config)->default_domain);
-	DEL((*config)->plain_passwd);
-	DEL((*config)->ocsp_response);
-	DEL((*config)->banner);
-	DEL((*config)->dh_params_file);
-	DEL((*config)->name);
-	DEL((*config)->pin_file);
-	DEL((*config)->srk_pin_file);
-	DEL((*config)->ca);
-	DEL((*config)->crl);
-	DEL((*config)->cert_user_oid);
-	DEL((*config)->cert_group_oid);
-	DEL((*config)->priorities);
-	DEL((*config)->chroot_dir);
-	DEL((*config)->connect_script);
-	DEL((*config)->disconnect_script);
+	DEL(config->cgroup);
+	DEL(config->route_add_cmd);
+	DEL(config->route_del_cmd);
+	DEL(config->per_user_dir);
+	DEL(config->per_group_dir);
+	DEL(config->socket_file_prefix);
+	DEL(config->default_domain);
+	DEL(config->plain_passwd);
+	DEL(config->ocsp_response);
+	DEL(config->banner);
+	DEL(config->dh_params_file);
+	DEL(config->name);
+	DEL(config->pin_file);
+	DEL(config->srk_pin_file);
+	DEL(config->ca);
+	DEL(config->crl);
+	DEL(config->cert_user_oid);
+	DEL(config->cert_group_oid);
+	DEL(config->priorities);
+	DEL(config->chroot_dir);
+	DEL(config->connect_script);
+	DEL(config->disconnect_script);
 
-	DEL((*config)->network.ipv4);
-	DEL((*config)->network.ipv4_netmask);
-	DEL((*config)->network.ipv6);
-	DEL((*config)->network.ipv6_netmask);
-	for (i=0;i<(*config)->network.routes_size;i++)
-		DEL((*config)->network.routes[i]);
-	DEL((*config)->network.routes);
-	for (i=0;i<(*config)->network.dns_size;i++)
-		DEL((*config)->network.dns[i]);
-	DEL((*config)->network.dns);
-	for (i=0;i<(*config)->network.nbns_size;i++)
-		DEL((*config)->network.nbns[i]);
-	DEL((*config)->network.nbns);
-	for (i=0;i<(*config)->key_size;i++)
-		DEL((*config)->key[i]);
-	DEL((*config)->key);
-	for (i=0;i<(*config)->cert_size;i++)
-		DEL((*config)->cert[i]);
-	DEL((*config)->cert);
-	for (i=0;i<(*config)->custom_header_size;i++)
-		DEL((*config)->custom_header[i]);
-	DEL((*config)->custom_header);
-	for (i=0;i<(*config)->split_dns_size;i++)
-		DEL((*config)->split_dns[i]);
-	DEL((*config)->split_dns);
-	talloc_free(*config);
-	*config = NULL;
+	DEL(config->network.ipv4);
+	DEL(config->network.ipv4_netmask);
+	DEL(config->network.ipv6);
+	DEL(config->network.ipv6_netmask);
+	for (i=0;i<config->network.routes_size;i++)
+		DEL(config->network.routes[i]);
+	DEL(config->network.routes);
+	for (i=0;i<config->network.dns_size;i++)
+		DEL(config->network.dns[i]);
+	DEL(config->network.dns);
+	for (i=0;i<config->network.nbns_size;i++)
+		DEL(config->network.nbns[i]);
+	DEL(config->network.nbns);
+	for (i=0;i<config->key_size;i++)
+		DEL(config->key[i]);
+	DEL(config->key);
+	for (i=0;i<config->cert_size;i++)
+		DEL(config->cert[i]);
+	DEL(config->cert);
+	for (i=0;i<config->custom_header_size;i++)
+		DEL(config->custom_header[i]);
+	DEL(config->custom_header);
+	for (i=0;i<config->split_dns_size;i++)
+		DEL(config->split_dns[i]);
+	DEL(config->split_dns);
+#ifdef HAVE_LIBTALLOC
+	/* our included talloc don't include that */
+	talloc_free_children(config);
+#endif
+	memset(config, 0, sizeof(*config));
 
 	return;
 }
 
-void reload_cfg_file(void *pool, struct cfg_st** config)
+void reload_cfg_file(void *pool, struct cfg_st* config)
 {
 	clear_cfg_file(config);
+	memset(config, 0, sizeof(*config));
 
-	parse_cfg_file(cfg_file, *config);
+	parse_cfg_file(cfg_file, config);
 
-	check_cfg(*config);
+	check_cfg(config);
 
 	return;
 }

src/main-misc.c

@@ -601,7 +601,7 @@ void run_sec_mod(main_server_st * s)
 #endif
 		setproctitle(PACKAGE_NAME "-secmod");
 
-		sec_mod_server(s, s->config, p, s->cookie_key, sizeof(s->cookie_key));
+		sec_mod_server(s->main_pool, s->config, p, s->cookie_key, sizeof(s->cookie_key));
 		exit(0);
 	} else if (pid > 0) {	/* parent */
 		s->sec_mod_pid = pid;

src/main.c

@@ -784,7 +784,8 @@ unsigned total = 10;
 		 */
 		clear_lists(s);
 		tls_global_deinit(s->creds);
-		clear_cfg_file(&s->config);
+		clear_cfg_file(s->config);
+		talloc_free(s->config);
 		talloc_free(s->main_pool);
 		closelog();
 		exit(0);
@@ -1074,6 +1075,7 @@ int main(int argc, char** argv)
 					snprintf(ws->secmod_addr.sun_path, sizeof(ws->secmod_addr.sun_path), "%s", s->socket_file);
 					ws->secmod_addr_len = SUN_LEN(&ws->secmod_addr);
 
+					ws->main_pool = main_pool;
 					ws->config = s->config;
 					ws->cmd_fd = cmd_fd[1];
 					ws->tun_fd = -1;

src/main.h

@@ -33,7 +33,7 @@
 
 int cmd_parser (void *pool, int argc, char **argv, struct cfg_st** config);
 void reload_cfg_file(void *pool, struct cfg_st** config);
-void clear_cfg_file(struct cfg_st** config);
+void clear_cfg_file(struct cfg_st* config);
 void write_pid_file(void);
 void remove_pid_file(void);
 

src/sec-mod-ban.c

@@ -65,6 +65,16 @@ void *sec_mod_ban_db_init(void *pool)
 	return db;
 }
 
+void sec_mod_ban_db_deinit(void *_db)
+{
+struct htable *db = _db;
+
+	if (db != NULL) {
+		htable_clear(db);
+		talloc_free(db);
+	}
+}
+
 void add_ip_to_ban_list(void *_db, const char *ip, time_t reenable_time)
 {
 	struct htable *db = _db;

src/sec-mod-db.c

@@ -63,6 +63,14 @@ void *sec_mod_client_db_init(void *pool)
 	return db;
 }
 
+void sec_mod_client_db_deinit(void *_db)
+{
+struct htable *db = _db;
+
+	htable_clear(db);
+	talloc_free(db);
+}
+
 client_entry_st *new_client_entry(void *_db, const char *ip)
 {
 	struct htable *db = _db;

src/sec-mod.c

@@ -49,6 +49,7 @@
 #define MAINTAINANCE_TIME 300
 
 static int need_maintainance = 0;
+static int need_exit = 0;
 
 struct pin_st {
 	char pin[MAX_PIN_SIZE];
@@ -289,8 +290,26 @@ static void handle_alarm(int signo)
 	need_maintainance = 1;
 }
 
+static void handle_sigterm(int signo)
+{
+	need_exit = 1;
+}
+
 static void check_other_work(sec_mod_st *sec)
 {
+	if (need_exit) {
+		unsigned i;
+
+		for (i = 0; i < sec->key_size; i++) {
+			gnutls_privkey_deinit(sec->key[i]);
+		}
+
+		sec_mod_client_db_deinit(sec->client_db);
+		sec_mod_ban_db_deinit(sec->ban_db);
+		talloc_free(sec->main_pool);
+		exit(0);
+	}
+
 	if (need_maintainance) {
 		seclog(LOG_DEBUG, "performing maintenance");
 		cleanup_client_entries(sec->client_db);
@@ -348,10 +367,11 @@ void sec_mod_server(void *pool, struct cfg_st *config, const char *socket_file,
 	sec->cookie_key.data = cookie_key;
 	sec->cookie_key.size = cookie_key_size;
 	sec->config = config;
+	sec->main_pool = pool;
 
 	ocsignal(SIGHUP, SIG_IGN);
-	ocsignal(SIGINT, SIG_DFL);
-	ocsignal(SIGTERM, SIG_DFL);
+	ocsignal(SIGINT, handle_sigterm);
+	ocsignal(SIGTERM, handle_sigterm);
 	ocsignal(SIGALRM, handle_alarm);
 
 	alarm(MAINTAINANCE_TIME);
@@ -366,17 +386,17 @@ void sec_mod_server(void *pool, struct cfg_st *config, const char *socket_file,
 	}
 #endif
 
-	sec->client_db = sec_mod_client_db_init(pool);
+	sec->client_db = sec_mod_client_db_init(sec);
 	if (sec->client_db == NULL) {
 		seclog(LOG_ERR, "error in client db initialization");
 		exit(1);
 	}
 
 	if (config->min_reauth_time > 0)
-		sec->ban_db = sec_mod_ban_db_init(pool);
+		sec->ban_db = sec_mod_ban_db_init(sec);
 
 	buffer_size = 8 * 1024;
-	buffer = talloc_size(pool, buffer_size);
+	buffer = talloc_size(sec, buffer_size);
 	if (buffer == NULL) {
 		seclog(LOG_ERR, "error in memory allocation");
 		exit(1);

src/sec-mod.h

@@ -31,6 +31,9 @@ typedef struct sec_mod_st {
 	void *client_db;
 	void *ban_db;
 
+	/* to be used on deinitialization only */
+	void *main_pool;
+
 	int fd;
 } sec_mod_st;
 
@@ -56,6 +59,7 @@ typedef struct client_entry_st {
 } client_entry_st;
 
 void *sec_mod_client_db_init(void *pool);
+void sec_mod_client_db_deinit(void *db);
 client_entry_st * new_client_entry(void *_db, const char *ip);
 client_entry_st * find_client_entry(void *_db, uint8_t sid[SID_SIZE]);
 void del_client_entry(void *_db, client_entry_st * e);
@@ -81,5 +85,6 @@ void cleanup_banned_entries(void *_db);
 unsigned check_if_banned(void *_db, const char *ip);
 void add_ip_to_ban_list(void *_db, const char *ip, time_t reenable_time);
 void *sec_mod_ban_db_init(void *pool);
+void sec_mod_ban_db_deinit(void *_db);
 
 #endif

src/worker-vpn.c

@@ -637,6 +637,7 @@ void exit_worker(worker_st * ws)
 		      (unsigned long)msg.bytes_in,
 		      (unsigned long)msg.bytes_out);
 	}
+	talloc_free(ws->main_pool);
 	closelog();
 	exit(1);
 }

src/worker.h

@@ -220,6 +220,8 @@ typedef struct worker_st {
 	char* dns[MAX_ROUTES];
 	unsigned nbns_size;
 	char* nbns[MAX_ROUTES];
+
+	void *main_pool; /* to be used only on deinitialization */
 } worker_st;
 
 void vpn_server(struct worker_st* ws);