nano_ffi free memoty

2026-01-02 22:54:50 +03:00 · 2025-12-02 23:12:11 +02:00
parent 38a0f55a96
commit 8b0f6c0a12
2 changed files with 76 additions and 20 deletions
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua
@@ -171,6 +171,13 @@ function nano.free_all_responses()
    nano.allocated_responses = {}
 end

+-- Free a single response immediately (for INSPECT/ACCEPT verdicts)
+function nano.free_response_immediate(response)
+    if response then
+        nano_attachment.free_verdict_response(response)
+    end
+end
+
 function nano.cleanup_all()
    nano.free_all_nano_str()
    nano.free_all_metadata()
@@ -341,7 +348,11 @@ function nano.send_data(session_id, session_data, meta_data, header_data, contai
    local verdict, response = nano_attachment.send_data(attachment, session_id, session_data, chunk_type, meta_data, header_data, contains_body)

    if response then
-        table.insert(nano.allocated_responses, response)
+        if verdict == nano.AttachmentVerdict.DROP then
+            table.insert(nano.allocated_responses, response)
+        else
+            nano.free_response_immediate(response)
+        end
    end

    return verdict, response
@@ -358,8 +369,16 @@ function nano.send_body(session_id, session_data, body_chunk, chunk_type)

    local verdict, response, modifications = nano_attachment.send_body(attachment, session_id, session_data, body_chunk, chunk_type)

+    -- CRITICAL OPTIMIZATION: Free response immediately if not needed for DROP handling
+    -- Only DROP verdicts need the response object for custom response generation
    if response then
-        table.insert(nano.allocated_responses, response)
+        if verdict == nano.AttachmentVerdict.DROP then
+            -- Keep response for handle_custom_response() - will be freed in cleanup_all()
+            table.insert(nano.allocated_responses, response)
+        else
+            -- INSPECT or ACCEPT verdict - free immediately to prevent memory accumulation
+            nano.free_response_immediate(response)
+        end
    end

    return verdict, response, modifications
@@ -433,7 +452,11 @@ function nano.send_response_headers(session_id, session_data, headers, status_co
    )

    if response then
-        table.insert(nano.allocated_responses, response)
+        if verdict == nano.AttachmentVerdict.DROP then
+            table.insert(nano.allocated_responses, response)
+        else
+            nano.free_response_immediate(response)
+        end
    end

    return verdict, response
@@ -456,7 +479,11 @@ function nano.send_content_length(session_id, session_data, content_length)
    )

    if response then
-        table.insert(nano.allocated_responses, response)
+        if verdict == nano.AttachmentVerdict.DROP then
+            table.insert(nano.allocated_responses, response)
+        else
+            nano.free_response_immediate(response)
+        end
    end

    return verdict, response
@@ -525,7 +552,11 @@ function nano.end_inspection(session_id, session_data, chunk_type)
    local verdict, response = nano_attachment.end_inspection(attachment, session_id, session_data, chunk_type)

    if response then
-        table.insert(nano.allocated_responses, response)
+        if verdict == nano.AttachmentVerdict.DROP then
+            table.insert(nano.allocated_responses, response)
+        else
+            nano.free_response_immediate(response)
+        end
    end

    return verdict, response