Double Free in Actix with Mutual Tls

A double free occurs when a program deallocates the same memory region twice. In Actix applications using Mutual TLS (mTLS), this risk can emerge at the intersection of Rust’s ownership model, TLS session state, and per-request actor handling. mTLS requires both client and server to present valid certificates, and Actix typically loads peer certificates into request extensions for authorization checks. If these extensions or associated session data are cloned into multiple actor addresses or request-scoped workers, and then each clone independently attempts to free the certificate buffers or associated structures, a double free can occur when the underlying memory is released more than once.

Consider a scenario where an Actix web app uses web::PeerCertificate (or a custom extractor) to pull client cert info, then spawns multiple actors or futures that each capture a clone of the certificate data. During asynchronous task teardown, each actor may invoke cleanup logic that drops the same underlying buffer. Because mTLS ties certificate validation to the TLS session, improper handling of reference counts or Arc/Rc clones across Actix workers can bypass Rust’s usual safety guarantees at runtime, especially when unsafe code or FFI interacts with OpenSSL or rustls session objects. The result is memory corruption that may not manifest deterministically, making it harder to reproduce without realistic mTLS traffic patterns.

Double frees in this context are often latent race conditions exacerbated by mTLS handshake concurrency. For example, if certificate validation errors trigger early actor cancellation while the request processing future also drops extensions, both paths may attempt to release the same memory. This maps into security implications similar to issues flagged in the OWASP API Top 10 (e.g., improper error handling and memory management) and can be probed by sending mTLS-authenticated requests designed to trigger cancellation paths, timeouts, or repeated reconnects that exercise parallel task teardown.

middleBrick’s LLM/AI Security checks and runtime scans can surface indicators of unsafe certificate handling or missing rate controls that encourage retry storms, which increase the likelihood of concurrent drops. Although middleBrick does not fix the issue, its findings include remediation guidance to review how certificate data is cloned, stored, and dropped within Actix actors and extensions, and to ensure cleanup is idempotent.

To prevent double frees when using mTLS in Actix, ensure certificate data is owned once and shared safely across actors and futures. Prefer reference-counted, immutable structures (e.g., Arc) and avoid raw pointer or unsafe-based sharing of TLS buffers. Below are concrete patterns and code examples for safe mTLS handling in Actix.

1. Safe certificate extraction with Arc

Extract the peer certificate once and wrap it in an Arc so clones share ownership without duplicating the underlying buffer. This ensures drops are idempotent and eliminates double frees across spawned actors.

use actix_web::{web, Error, HttpRequest, HttpResponse};
use std::sync::Arc;
use openssl::x509::X509;

// Extract certificate and wrap in Arc once
fn extract_peer_cert(req: &HttpRequest) -> Option> {
    req.extensions()
        .get::>()
        .cloned()
}

async fn handler(req: HttpRequest) -> Result {
    if let Some(cert) = extract_peer_cert(&req) {
        // Use cert.clone() safely across futures or actors; the Arc ensures single free
        actix_web::web::block(move || {
            // Perform authorization using cert
            Ok::<_, Error>(HttpResponse::Ok().finish())
        })
        .await?
    } else {
        Ok(HttpResponse::Unauthorized().finish())
    }
}

2. Configure mTLS in Actix server with rustls

Set up the Actix server with rustls and client certificate verification, ensuring the server owns the CA store and validation is centralized. This reduces the surface where duplicate cleanup might occur.

use actix_web::HttpServer;
use rustls::{ServerConfig, ClientConfig, RootCertStore, Certificate, PrivateKey};
use std::sync::Arc;
use std::io;

fn build_mtls_config() -> io::Result {
    let mut roots = RootCertStore::empty();
    // Load trusted CA certs for client verification
    roots.add(&Certificate(vec![/* DER bytes */])).map_err(|e| io::Error::new(io::ErrorKind::InvalidInput, e))?;

    let config = ServerConfig::builder()
        .with_safe_defaults()
        .with_client_auth_cert(roots, vec![])?; // require and verify client certs
    Ok(config)
}

fn build_client_config() -> io::Result {
    let mut roots = RootCertStore::empty();
    roots.add(&Certificate(vec![/* CA cert DER */])).map_err(|e| io::Error::new(io::ErrorKind::InvalidInput, e))?;
    let certs = vec![Certificate(vec![/* client cert DER */])];
    let key = PrivateKey(vec![/* client key DER */]);
    ClientConfig::builder()
        .with_safe_defaults()
        .with_root_certificates(roots)
        .with_single_cert(certs, key)
        .map_err(|e| io::Error::new(io::ErrorKind::InvalidInput, e))
}

3. Avoid cloning raw certificate bytes across actors

If you must pass certificate material, serialize to an owned structure (e.g., Vec inside an Arc) rather than cloning slices that may share a backing buffer. This pattern prevents multiple deallocation attempts on the same memory.

use std::sync::Arc;

struct AuthContext {
    cert_der: Arc>,
    // other safe, owned fields
}

async fn handle_request(ctx: web::Data) -> HttpResponse {
    // ctx.cert_der.clone() is cheap and safe; the Arc ensures a single free
    HttpResponse::Ok().finish()
}

These approaches centralize ownership and make cleanup deterministic. They align with secure coding practices around mTLS and help avoid memory-safety issues that could be probed by active LLM security tests for prompt injection or unsafe consumption patterns.