6756 – ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8

Issue 6756 - ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8

Summary: ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-12-30 21:06 UTC by jgilmour@techsmog.com
Modified:	2010-12-30 21:07 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Howard Chu 2010-12-30 17:19:19 UTC

changed state Open to Closed
moved from Incoming to Archive.Incoming

Comment 1 jgilmour@techsmog.com 2010-12-30 21:06:14 UTC

Full_Name: Josh Gilmour
Version: ldapsearch 2.3.43 (Nov 29 2010 03:47:14)
OS: CentOS release 5.4 32bit
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (38.112.23.58)


I get a segfault when using the following command and applying a filter file. If
we remove the -f, the command runs properly. It doesn't seem to be a major
security issue (or one at all, I'm not sure), but it does seem to be a bug I
believe...

the file i'm using for the -f parameter, 'testing', just has the letter 'a' in
it.

Here is the process output from gdb:

[jgilmour@xijgilmour ~]$ gdb ldapsearch
GNU gdb Fedora (6.8-37.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(no debugging symbols found)
(gdb) r -x -LLL -h xxx.local -D "xxx@xxx.local" -E pr=1/noprompt -w password -b
"OU=xxx,dc=xxx,dc=local" -S sAMAccountName -f testing
Starting program: /usr/bin/ldapsearch -x -LLL -h xxx.local -D "xxx@xxx.local" -E
pr=1/noprompt -w password -b "OU=xxx,dc=xxx,dc=local" -S sAMAccountName -f
testing
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
dn: OU=xxx,DC=xxx,DC=LOCAL
objectClass: top
objectClass: organizationalUnit
ou: xxx
distinguishedName: OU=xxx,DC=xxx,DC=LOCAL
instanceType: 4
whenCreated: 20050103174000.0Z
whenChanged: 20081117191042.0Z
uSNCreated: 12371
uSNChanged: 6388825
name: xxx
objectGUID:: qjRiugCNd0eXyrXkHlETpA==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=xxx,D
 C=LOCAL
dSCorePropagationData: 20080818221029.0Z
dSCorePropagationData: 20080628202026.0Z
dSCorePropagationData: 20070611215308.0Z
dSCorePropagationData: 20070611213209.0Z
dSCorePropagationData: 16010714223649.0Z

*** glibc detected *** /usr/bin/ldapsearch: double free or corruption (!prev):
0x086a35f8 ***

Program received signal SIGSEGV, Segmentation fault.
0x00c67a3f in _int_malloc () from /lib/i686/nosegneg/libc.so.6
(gdb) i r
eax            0x169    361
ecx            0xd43170 13906288
edx            0x86a35f0        141178352
ebx            0xd41ff4 13901812
esp            0xbf9a7078       0xbf9a7078
ebp            0xbf9a713c       0xbf9a713c
esi            0x168    360
edi            0xb7fdb000       -1208111104
eip            0xc67a3f 0xc67a3f <_int_malloc+703>
eflags         0x210283 [ CF SF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) bt
#0  0x00c67a3f in _int_malloc () from /lib/i686/nosegneg/libc.so.6
#1  0x00c69a1e in malloc () from /lib/i686/nosegneg/libc.so.6
#2  0x00235998 in _dl_map_object () from /lib/ld-linux.so.2
#3  0x0023ead1 in dl_open_worker () from /lib/ld-linux.so.2
#4  0x0023ae66 in _dl_catch_error () from /lib/ld-linux.so.2
#5  0x0023e4b2 in _dl_open () from /lib/ld-linux.so.2
#6  0x00d08072 in do_dlopen () from /lib/i686/nosegneg/libc.so.6
#7  0x0023ae66 in _dl_catch_error () from /lib/ld-linux.so.2
#8  0x00d08225 in __libc_dlopen_mode () from /lib/i686/nosegneg/libc.so.6
#9  0x00ce44d9 in init () from /lib/i686/nosegneg/libc.so.6
#10 0x00ce4673 in backtrace () from /lib/i686/nosegneg/libc.so.6
#11 0x00c5ee51 in __libc_message () from /lib/i686/nosegneg/libc.so.6
#12 0x00c671d5 in _int_free () from /lib/i686/nosegneg/libc.so.6
#13 0x00c67619 in free () from /lib/i686/nosegneg/libc.so.6
#14 0x00c55756 in fclose@@GLIBC_2.1 () from /lib/i686/nosegneg/libc.so.6
#15 0x0804ca88 in ?? ()
#16 0x00c12e9c in __libc_start_main () from /lib/i686/nosegneg/libc.so.6
#17 0x0804a3f1 in ?? ()
(gdb) q
The program is running.  Exit anyway? (y or n) y
[jgilmour@xijgilmour ~]$ uname -a
Linux xijgilmour.xxx.local 2.6.18-164.11.1.el5xen #1 SMP Wed Jan 20 08:53:10 EST
2010 i686 i686 i386 GNU/Linux

Comment 2 Josh Gilmour 2010-12-30 21:07:12 UTC

oops, sorry, this is a duplicate

On Thu, Dec 30, 2010 at 4:06 PM, <openldap-its@openldap.org> wrote:

>
> *** THIS IS AN AUTOMATICALLY GENERATED REPLY ***
>
> Thanks for your report to the OpenLDAP Issue Tracking System.  Your
> report has been assigned the tracking number ITS#6756.
>
> One of our support engineers will look at your report in due course.
> Note that this may take some time because our support engineers
> are volunteers.  They only work on OpenLDAP when they have spare
> time.
>
> If you need to provide additional information in regards to your
> issue report, you may do so by replying to this message.  Note that
> any mail sent to openldap-its@openldap.org with (ITS#6756)
> in the subject will automatically be attached to the issue report.
>
>        mailto:openldap-its@openldap.org?subject=(ITS#6756)
>
> You may follow the progress of this report by loading the following
> URL in a web browser:
>    http://www.OpenLDAP.org/its/index.cgi?findid=6756
>
> Please remember to retain your issue tracking number (ITS#6756)
> on any further messages you send to us regarding this report.  If
> you don't then you'll just waste our time and yours because we
> won't be able to properly track the report.
>
> Please note that the Issue Tracking System is not intended to
> be used to seek help in the proper use of OpenLDAP Software.
> Such requests will be closed.
>
> OpenLDAP Software is user supported.
>        http://www.OpenLDAP.org/support/
>
> --------------
> Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
>
>


-- 
Josh Gilmour | Windows Systems & Network Administrator

Brightcove, Inc. www.brightcove.com
One Cambridge Center, 12th Floor, Cambridge, MA 02142
P: 617.395.5843 F: 617.395.8352

++++++++++

Brightcove PLAY 2011 Global Customer Conference

May 23-25, Boston Seaport Hotel & World Trade Center

Registration Now Open: http://brightcove.com/play2011

++++++++++