The problem was on the COM server side, in the included
DSnapCom unit. The client’s IP address (passed in by httpsrvr.dll or scktsrvr.exe as an additional BSTR parameter) was not released properly, which caused a few bytes of memory leak for each method call.
Looking back, this bug seems pretty obvious, and it seems strange that I didn’t discover it at the time when I wrote the code. I was under the impression that I had tested everything properly. Duh!
Oh well. It’s back to testing then. (I’ve discovered this while trying to solve another problem which might or might not be related to it.)