8755 – invalid file descriptor when closing tls connection

Issue 8755 - invalid file descriptor when closing tls connection

Summary: invalid file descriptor when closing tls connection

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.45
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-12 22:01 UTC by info@christianknueppel.de
Modified:	2019-07-24 19:00 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description info@christianknueppel.de 2017-10-12 22:01:35 UTC

Full_Name: Christian Knueppel
Version: 2.4.45
OS: Ubuntu 16.04.3 LTS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (141.12.132.220)


I currently developing on a c software which is using Openldap with TLS
authentication. My software is working fine, but when i test it with valgrind, i
always get an invalid file descriptor when closing the connection.

Here is the stacktrace from valgrind:
==17517== Warning: invalid file descriptor -1 in syscall write()
==17517==    at 0x4E4A4BD: ??? (syscall-template.S:84)
==17517==    by 0x61BF5E7: sb_debug_write (in
/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.5)
==17517==    by 0x7261644: _gnutls_writev_emu (gnutls_buffers.c:447)
==17517==    by 0x7261644: _gnutls_writev (gnutls_buffers.c:505)
==17517==    by 0x7261644: _gnutls_io_write_flush (gnutls_buffers.c:699)
==17517==    by 0x725BDFF: _gnutls_send_tlen_int (gnutls_record.c:464)
==17517==    by 0x727E0D7: _gnutls_send_int (gnutls_record.h:43)
==17517==    by 0x727E0D7: gnutls_alert_send (gnutls_alert.c:165)
==17517==    by 0x725DCD8: gnutls_bye (gnutls_record.c:289)
==17517==    by 0x5F9F181: tlsg_sb_close (in
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.10.5)
==17517==    by 0x61C07B1: ber_int_sb_close (in
/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.5)
==17517==    by 0x61C08A3: ber_sockbuf_free (in
/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.5)
==17517==    by 0x5F815CD: ldap_ld_free (in
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.10.5)
==17517==    by 0x41618F: ldap_close_handle (ldap_connection.c:481)

--> In function ldap_close_handle i call ldap_unbind_ext_s(ld, NULL, NULL).

The connection is built with ldap_initialize(&ld, config.ldap_url) and
ldap_start_tls_s(ld, NULL, NULL). Options set with ldap_set_option() are
LDAP_OPT_X_TLS_REQUIRE_CERT to 2 (LDAP_OPT_X_TLS_DEMAND) and
LDAP_OPT_X_TLS_CACERTFILE are set to all SSL CA-Certificates
(/etc/ssl/certs/ca-certificates.crt). I run the ldap_unbind_ext_s command (for
test purpose) shortly after the start_tls command is finished.
When i use ldap_sasl_interactive_bind_s with DIGEST-MD5 instead of
ldap_start_tls_s, the warning doesn't appear. When i use both, tls and sasl, the
warning also appears.

My computer running on Ubuntu 16.04.3 LTS (uname: 4.4.0-97-generic x86_64) with
libldap-2.4-2 (2.4.42+dfsg-2ubuntu3.2) and libgnutls30 (3.4.10-4ubuntu1.4). I
also tested it with the newest Ubuntu Artful Aardvark and the newest openldap
(2.4.45+dfsg-1ubuntu1) and gnutls(3.5.8-6ubuntu3) release, but it didn't has any
effect in my case.

I also tryed to compiled openldap against openssl to see, if it might be a
gnutls bug, but the invalid file descriptor occurs again. The lower valgrind
stacktrace is done with openldap 2.4.45 and openssl 1.0.2g on the newest Artful
Aardvark 17.10.
==2638== Warning: invalid file descriptor -1 in syscall write()
==2638==    at 0x4E4DCC0: write (write.c:26)
==2638==    by 0x61C6E87: sb_debug_write (sockbuf.c:854)
==2638==    by 0x5FAAB4A: tlso_bio_write.part.8 (tls_o.c:790)
==2638==    by 0x516B94A: BIO_write (bio_lib.c:243)
==2638==    by 0x5B20C61: ssl3_write_pending (s3_pkt.c:1105)
==2638==    by 0x5B22E82: ssl3_dispatch_alert (s3_pkt.c:1733)
==2638==    by 0x5B1EAE6: ssl3_shutdown (s3_lib.c:4372)
==2638==    by 0x5FAA749: tlso_sb_close (tls_o.c:899)
==2638==    by 0x61C7D8A: ber_int_sb_close (sockbuf.c:383)
==2638==    by 0x61C7E73: ber_sockbuf_free (sockbuf.c:74)
==2638==    by 0x5F8D006: ldap_ld_free (unbind.c:134)
==2638==    by 0x1277B7: ldap_close_handle (ldap_connection.c:481)

Comment 1 Ondřej Kuzník 2019-05-13 15:32:01 UTC

On Thu, Oct 12, 2017 at 10:01:35PM +0000, info@christianknueppel.de wrote:
> I currently developing on a c software which is using Openldap with TLS
> authentication. My software is working fine, but when i test it with valgrind, i
> always get an invalid file descriptor when closing the connection.
> 
> Here is the stacktrace from valgrind:
> [...]
> --> In function ldap_close_handle i call ldap_unbind_ext_s(ld, NULL, NULL).
> 
> The connection is built with ldap_initialize(&ld, config.ldap_url) and
> ldap_start_tls_s(ld, NULL, NULL). Options set with ldap_set_option() are
> LDAP_OPT_X_TLS_REQUIRE_CERT to 2 (LDAP_OPT_X_TLS_DEMAND) and
> LDAP_OPT_X_TLS_CACERTFILE are set to all SSL CA-Certificates
> (/etc/ssl/certs/ca-certificates.crt). I run the ldap_unbind_ext_s command (for
> test purpose) shortly after the start_tls command is finished.
> When i use ldap_sasl_interactive_bind_s with DIGEST-MD5 instead of
> ldap_start_tls_s, the warning doesn't appear. When i use both, tls and sasl, the
> warning also appears.
> 
> My computer running on Ubuntu 16.04.3 LTS (uname: 4.4.0-97-generic x86_64) with
> libldap-2.4-2 (2.4.42+dfsg-2ubuntu3.2) and libgnutls30 (3.4.10-4ubuntu1.4). I
> also tested it with the newest Ubuntu Artful Aardvark and the newest openldap
> (2.4.45+dfsg-1ubuntu1) and gnutls(3.5.8-6ubuntu3) release, but it didn't has any
> effect in my case.
> 
> I also tryed to compiled openldap against openssl to see, if it might be a
> gnutls bug, but the invalid file descriptor occurs again. The lower valgrind
> stacktrace is done with openldap 2.4.45 and openssl 1.0.2g on the newest Artful
> Aardvark 17.10.
> [...]

Yes, it looks like the main SockBuf closing is run twice, once in
ldap_free_connection and once directly in ldap_ld_free. I think we don't
enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so
not sure yet if we can gate calling sb_close on that or something else.

I'll see if there's a way to make this work better.

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Comment 2 Ondřej Kuzník 2019-05-14 12:07:54 UTC

On Mon, May 13, 2019 at 03:32:19PM +0000, ondra@mistotebe.net wrote:
> Yes, it looks like the main SockBuf closing is run twice, once in
> ldap_free_connection and once directly in ldap_ld_free. I think we don't
> enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so
> not sure yet if we can gate calling sb_close on that or something else.
> 
> I'll see if there's a way to make this work better.

There's a proposed patch at
https://github.com/mistotebe/openldap/tree/its8755

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Comment 3 Quanah Gibson-Mount 2019-06-20 17:45:49 UTC

changed notes
changed state Open to Release
moved from Incoming to Software Bugs

Comment 4 OpenLDAP project 2019-07-24 19:00:59 UTC

Fixed in master
Fixed in RE24 (2.4.48)

Comment 5 Quanah Gibson-Mount 2019-07-24 19:00:59 UTC

changed notes
changed state Release to Closed