[Date Prev][Date Next] [Chronological] [Thread] [Top]

crasher in SASL authorization code (ITS#2234)

Full_Name: Luke Howard
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I'm still tracking this one down, but it appears that occasionally OpenLDAP will
attempt to free the authorization identity which Cyrus SASL "owns". (I'm using
Cyrus SASL 2.1.10, but the same applied to 2.1.7.)

Valgrind shows the following:

==28695== Thread 3:
==28695== Invalid free() / delete / delete[]
==28695==    at 0x40048709: free (vg_clientfuncs.c:180)
==28695==    by 0x402EBC9D: _sasl_conn_dispose (common.c:467)
==28695==    by 0x402EFD24: server_dispose (server.c:236)
==28695==    by 0x402EBC33: sasl_dispose (common.c:456)
==28695==    Address 0x4116B010 is 0 bytes inside a block of size 56 free'd
==28695==    at 0x40048709: free (vg_clientfuncs.c:180)
==28695==    by 0x806C0E5: (within /usr/xad/libexec/slapd)
==28695==    by 0x808FCE0: (within /usr/xad/libexec/slapd)
==28695==    by 0x402F0E94: do_authorization (server.c:1017)

Note that it's not particularly helpful as to where in slapd the free is
occuring, although do_authorization() does call the proxy policy callback so it
must be within slap_sasl_authorize().

I will look into it further and commit a fix if I find one.