[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap_sasl_interactive_bind_s leaks? (ITS#2423)

To: openldap-its@OpenLDAP.org
Subject: RE: ldap_sasl_interactive_bind_s leaks? (ITS#2423)
From: hyc@highlandsun.com
Date: Thu, 1 May 2003 07:11:42 GMT

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of igor@ypass.net

> > >> > >On Mon, 14 Apr 2003, Howard Chu wrote:
> > >> > >> > > I think sasl_done() needs to be called during
> ldap_unbind() and
> > >> > >> > > ldap_int_sasl_init() needs to be called every time
> > >> > >> ldap_init(ialize)()
> > >> > >> > > runs rather than just once.  Please see attached patch.
> > >> > >> My patch also
> > >> > >> > > fixes threadsafe issue in ldap_int_sasl_init().

> > >> > >> > This solution isn't any better. My interpretation of the
> > >> > >> SASL docs is that
> > >> > >> > sasl_done() only needs to be called once, at the
> end of the
> > >> > >> particular

> > >> > >This is an incorrect interpretation according to the
> Cyrus team;
> > >> > >sasl_done() is meant to be used multiple times within
> an application.
> > >> > >
> > >> > >However, cyrus bug 1963 is preventing sasl_done()
> from being used
> > >> > >properly.  The bug is currently being worked on.

> Cyrus team has posted a fix for bug 1963 in cvs.

Thanks for keeping us posted.

> > >> > >> This is probably true until cyrus-sasl bug 1963 is
> developed.
> > >> > >> sasl_done() clears digest-md5 reauth buffer.  This
> is what causes the
> > >> > >> leak, the buffer is never cleared.

The sasl_done() fix doesn't change anything in libldap. The purpose of the
DIGEST-MD5 reauth buffer is to allow fast rebinds for clients that create a
series of sessions within some small timeframe. If we change libldap to call
sasl_done() on every ldap_unbind() then according to what you have written,
the reauth buffer will be cleared after every single bind/unbind session,
thus defeating its purpose.

Once again - the reauth buffer is defined with a fixed size, it is not
intended to grow without bound over the life of an application. If you see
that it grows without bounds, then there is a bug in the reauth buffer
management code, and that bug needs to be fixed regardless of whether an app
ever calls sasl_done(). If the buffer is always growing, but all of the
memory is properly reclaimed by sasl_done(), then at least you know the
memory isn't being leaked outright. Just the memory accounting that keeps
track of the number of buffer entries is broken.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Next by Date: Inconsistent acl format requirements (ITS#2478)
Index(es):
- Chronological
- Thread