[Date Prev][Date Next] [Chronological] [Thread] [Top]

Double-free() (ITS#974)

Full_Name: Mike Schiraldi
Version: 2.0.7
OS: RHL 7.0
Submission from: (NULL) (

There's a double-free() somewhere in OpenLDAP. I'll fool around and try to
figure out how the memory-debugging #defines work, but in the meantime if any of
you want to jump in...

1. Patch ldapsearch.c as follows. This replaces free() with a new function that
keeps track of when it gets called and makes sure it never gets called twice
with the same pointer. (since the real free() doesn't get called, there's no way
a new malloc() could produce a fresh pointer at that location)

--- old/ldapsearch.c      Mon Nov  6 11:49:44 2000
+++ new/ldapsearch.c        Fri Jan 19 16:43:56 2001
@@ -160,6 +160,23 @@
 static char    *sortattr = NULL;
 static int     verbose, not, includeufn, vals2tmp, ldif;
+static void * table[1000];
+static int count = 0;
+void free(void *ptr)
+  int i;
+  for(i=0; i<count; i++)
+    if(table[i] == ptr)
+      {
+        printf("free() called twice on %d\n", (int)ptr);
+        abort();
+      }
+  table[count++] = ptr;
 main( int argc, char **argv )

2. Recompile. Run 

./ldapsearch -C -vvv -x -P2 -h ldap.research.netsol.com -s sub -b 
"dc=thecobblershoppe,dc=com" "(mail=marilyn@thecobblershoppe.com)"

3. It should abort. On my system, the bad pointer was 134747360 and the
backtrace (for the second call to free()) is as follows:

#0  0x4017a4e1 in __kill () from /lib/libc.so.6
#1  0x4017a2ba in raise (sig=6) at ../sysdeps/posix/raise.c:27
#2  0x4017ba82 in abort () at ../sysdeps/generic/abort.c:88
#3  0x804a5f8 in free (ptr=0x80814e0) at ldapsearch.c:174
#4  0x8057116 in ldap_chase_referrals (ld=0x806e8f8, lr=0x807b2c0,
errstrp=0x807b2dc, hadrefp=0xbfffb760) at request.c:928
#5  0x804ed03 in try_read1msg (ld=0x806e8f8, msgid=-1, all=0, sb=0x80755f8,
lc=0x80755c8, result=0xbfffb878) at result.c:543
#6  0x804e6ec in wait4msg (ld=0x806e8f8, msgid=-1, all=0, timeout=0x0,
result=0xbfffb878) at result.c:305
#7  0x804bd55 in dosearch (ld=0x806e8f8, base=0x8069e28
"dc=thecobblershoppe,dc=com", scope=2, filtpatt=0x0, value=0x8069e48
"(mail=marilyn@thecobblershoppe.com)", attrs=0xbffff9e4, attrsonly=0,
    cctrls=0x0, timelimit=0x0, sizelimit=-1) at ldapsearch.c:952
#8  0x804b77b in main (argc=13, argv=0xbffff9b4) at ldapsearch.c:869
#9  0x40169b65 in __libc_start_main (main=0x804a60c <main>, argc=13,
ubp_av=0xbffff9b4, init=0x8049c74 <_init>, fini=0x8060dfc <_fini>,
rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffff9ac)
    at ../sysdeps/generic/libc-start.c:111