Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-109534: fix reference leak when SSL handshake fails #114074

Merged
merged 2 commits into from
Feb 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Lib/asyncio/selector_events.py
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,10 @@ async def _accept_connection2(
await waiter
except BaseException:
transport.close()
# gh-109534: When an exception is raised by the SSLProtocol object the
# exception set in this future can keep the protocol object alive and
# cause a reference cycle.
waiter = None
raise
# It's now up to the protocol to handle the connection.

Expand Down
1 change: 1 addition & 0 deletions Lib/asyncio/sslproto.py
Original file line number Diff line number Diff line change
Expand Up @@ -579,6 +579,7 @@ def _on_handshake_complete(self, handshake_exc):

peercert = sslobj.getpeercert()
except Exception as exc:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The exception handler here is intended to (also) catch exceptions raised by sslobj.getpeercert(). That is probably going to be an issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In other words: you can't avoid using a try...except block here. Is removing this really necessary to break the cycle?

Copy link
Contributor Author

@ordinary-jamie ordinary-jamie Jan 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah! This was my misunderstanding of the problem. It turns out that setting the original handshake_exc to None also fixed our problem -- which my understanding is that there are two separate instances of the exception, each with a traceback and only one was being handled.

try:
    if handshake_exc is None:
        self._set_state(SSLProtocolState.WRAPPED)
    else:
        raise handshake_exc

    peercert = sslobj.getpeercert()
except Exception as exc:
    handshake_exc = None    # <--- fixes the problem

handshake_exc = None
self._set_state(SSLProtocolState.UNWRAPPED)
if isinstance(exc, ssl.CertificateError):
msg = 'SSL handshake failed on verifying the certificate'
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Fix a reference leak in
:class:`asyncio.selector_events.BaseSelectorEventLoop` when SSL handshakes
fail. Patch contributed by Jamie Phan.
Loading