The C++ REST SDK is a Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design. This project aims to help C++ developers connect to and interact with services.
Other
7.97k
stars
1.65k
forks
source link
Memory Leak in WinHTTP-based Auto-Proxy Configuration #1617
uses WinHttpGetProxyForUrl to acquire the appropriate proxy to use, if any. The problem is, the clear instructions of that API state this about the final argument (the proxy info structure):
A pointer to a WINHTTP_PROXY_INFO structure that receives the proxy setting. This structure is then applied to the request handle using the WINHTTP_OPTION_PROXY option. Free the lpszProxy and lpszProxyBypass strings contained in this structure (if they are non-NULL) using the GlobalFree function.
The member function in question makes no effort to either deduce, nor free, the aforementioned proxy data if populated by the windows API in question. The result is for every request sent with auto-discovery enabled, a global heap allocation is leaked into the ether, equal in size to double the char count of the proxy address in question (it is a unicode string). For a service process, this is death by a thousand cuts (my service utilizes this feature, and processes millions of requests an hour; with each one leaking a 70-byte block due to this problem). Note that using a hard coded proxy address (i.e. not using auto-discovery) does not use the aforementioned windows API, and thus does not leak.
When configured for automatic proxy discovery, the following method:
web::http::client::details::winhttp_client::send_request
uses WinHttpGetProxyForUrl to acquire the appropriate proxy to use, if any. The problem is, the clear instructions of that API state this about the final argument (the proxy info structure):
The member function in question makes no effort to either deduce, nor free, the aforementioned proxy data if populated by the windows API in question. The result is for every request sent with auto-discovery enabled, a global heap allocation is leaked into the ether, equal in size to double the char count of the proxy address in question (it is a unicode string). For a service process, this is death by a thousand cuts (my service utilizes this feature, and processes millions of requests an hour; with each one leaking a 70-byte block due to this problem). Note that using a hard coded proxy address (i.e. not using auto-discovery) does not use the aforementioned windows API, and thus does not leak.
Edit: Closed. Fixed in newer version.