Full_Name: Christian Knueppel Version: 2.4.45 OS: Ubuntu 16.04.3 LTS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (141.12.132.220) I currently developing on a c software which is using Openldap with TLS authentication. My software is working fine, but when i test it with valgrind, i always get an invalid file descriptor when closing the connection. Here is the stacktrace from valgrind: ==17517== Warning: invalid file descriptor -1 in syscall write() ==17517== at 0x4E4A4BD: ??? (syscall-template.S:84) ==17517== by 0x61BF5E7: sb_debug_write (in /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.5) ==17517== by 0x7261644: _gnutls_writev_emu (gnutls_buffers.c:447) ==17517== by 0x7261644: _gnutls_writev (gnutls_buffers.c:505) ==17517== by 0x7261644: _gnutls_io_write_flush (gnutls_buffers.c:699) ==17517== by 0x725BDFF: _gnutls_send_tlen_int (gnutls_record.c:464) ==17517== by 0x727E0D7: _gnutls_send_int (gnutls_record.h:43) ==17517== by 0x727E0D7: gnutls_alert_send (gnutls_alert.c:165) ==17517== by 0x725DCD8: gnutls_bye (gnutls_record.c:289) ==17517== by 0x5F9F181: tlsg_sb_close (in /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.10.5) ==17517== by 0x61C07B1: ber_int_sb_close (in /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.5) ==17517== by 0x61C08A3: ber_sockbuf_free (in /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.5) ==17517== by 0x5F815CD: ldap_ld_free (in /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.10.5) ==17517== by 0x41618F: ldap_close_handle (ldap_connection.c:481) --> In function ldap_close_handle i call ldap_unbind_ext_s(ld, NULL, NULL). The connection is built with ldap_initialize(&ld, config.ldap_url) and ldap_start_tls_s(ld, NULL, NULL). Options set with ldap_set_option() are LDAP_OPT_X_TLS_REQUIRE_CERT to 2 (LDAP_OPT_X_TLS_DEMAND) and LDAP_OPT_X_TLS_CACERTFILE are set to all SSL CA-Certificates (/etc/ssl/certs/ca-certificates.crt). I run the ldap_unbind_ext_s command (for test purpose) shortly after the start_tls command is finished. When i use ldap_sasl_interactive_bind_s with DIGEST-MD5 instead of ldap_start_tls_s, the warning doesn't appear. When i use both, tls and sasl, the warning also appears. My computer running on Ubuntu 16.04.3 LTS (uname: 4.4.0-97-generic x86_64) with libldap-2.4-2 (2.4.42+dfsg-2ubuntu3.2) and libgnutls30 (3.4.10-4ubuntu1.4). I also tested it with the newest Ubuntu Artful Aardvark and the newest openldap (2.4.45+dfsg-1ubuntu1) and gnutls(3.5.8-6ubuntu3) release, but it didn't has any effect in my case. I also tryed to compiled openldap against openssl to see, if it might be a gnutls bug, but the invalid file descriptor occurs again. The lower valgrind stacktrace is done with openldap 2.4.45 and openssl 1.0.2g on the newest Artful Aardvark 17.10. ==2638== Warning: invalid file descriptor -1 in syscall write() ==2638== at 0x4E4DCC0: write (write.c:26) ==2638== by 0x61C6E87: sb_debug_write (sockbuf.c:854) ==2638== by 0x5FAAB4A: tlso_bio_write.part.8 (tls_o.c:790) ==2638== by 0x516B94A: BIO_write (bio_lib.c:243) ==2638== by 0x5B20C61: ssl3_write_pending (s3_pkt.c:1105) ==2638== by 0x5B22E82: ssl3_dispatch_alert (s3_pkt.c:1733) ==2638== by 0x5B1EAE6: ssl3_shutdown (s3_lib.c:4372) ==2638== by 0x5FAA749: tlso_sb_close (tls_o.c:899) ==2638== by 0x61C7D8A: ber_int_sb_close (sockbuf.c:383) ==2638== by 0x61C7E73: ber_sockbuf_free (sockbuf.c:74) ==2638== by 0x5F8D006: ldap_ld_free (unbind.c:134) ==2638== by 0x1277B7: ldap_close_handle (ldap_connection.c:481)
On Thu, Oct 12, 2017 at 10:01:35PM +0000, info@christianknueppel.de wrote: > I currently developing on a c software which is using Openldap with TLS > authentication. My software is working fine, but when i test it with valgrind, i > always get an invalid file descriptor when closing the connection. > > Here is the stacktrace from valgrind: > [...] > --> In function ldap_close_handle i call ldap_unbind_ext_s(ld, NULL, NULL). > > The connection is built with ldap_initialize(&ld, config.ldap_url) and > ldap_start_tls_s(ld, NULL, NULL). Options set with ldap_set_option() are > LDAP_OPT_X_TLS_REQUIRE_CERT to 2 (LDAP_OPT_X_TLS_DEMAND) and > LDAP_OPT_X_TLS_CACERTFILE are set to all SSL CA-Certificates > (/etc/ssl/certs/ca-certificates.crt). I run the ldap_unbind_ext_s command (for > test purpose) shortly after the start_tls command is finished. > When i use ldap_sasl_interactive_bind_s with DIGEST-MD5 instead of > ldap_start_tls_s, the warning doesn't appear. When i use both, tls and sasl, the > warning also appears. > > My computer running on Ubuntu 16.04.3 LTS (uname: 4.4.0-97-generic x86_64) with > libldap-2.4-2 (2.4.42+dfsg-2ubuntu3.2) and libgnutls30 (3.4.10-4ubuntu1.4). I > also tested it with the newest Ubuntu Artful Aardvark and the newest openldap > (2.4.45+dfsg-1ubuntu1) and gnutls(3.5.8-6ubuntu3) release, but it didn't has any > effect in my case. > > I also tryed to compiled openldap against openssl to see, if it might be a > gnutls bug, but the invalid file descriptor occurs again. The lower valgrind > stacktrace is done with openldap 2.4.45 and openssl 1.0.2g on the newest Artful > Aardvark 17.10. > [...] Yes, it looks like the main SockBuf closing is run twice, once in ldap_free_connection and once directly in ldap_ld_free. I think we don't enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so not sure yet if we can gate calling sb_close on that or something else. I'll see if there's a way to make this work better. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Mon, May 13, 2019 at 03:32:19PM +0000, ondra@mistotebe.net wrote: > Yes, it looks like the main SockBuf closing is run twice, once in > ldap_free_connection and once directly in ldap_ld_free. I think we don't > enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so > not sure yet if we can gate calling sb_close on that or something else. > > I'll see if there's a way to make this work better. There's a proposed patch at https://github.com/mistotebe/openldap/tree/its8755 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
changed notes changed state Open to Release moved from Incoming to Software Bugs
Fixed in master Fixed in RE24 (2.4.48)
changed notes changed state Release to Closed