[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4998) overlays/ppolicy.c: invalid pointer due to free() of unallocated buffer

Full_Name: Michael Steinmann
Version: 2.3.35 / HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

This is while testing a custom pwdCheckModule.
In function check_password_quality(), char *txt is free()'d, slapd crashes with
"invalid pointer".

Core was generated by `servers/slapd/slapd -f etc/openldap/slapd.conf -h
ldap://localhost:10389/ -d 9'.
Program terminated with signal 6, Aborted.
#0  0xb7b3a0b6 in raise () from /lib/libc.so.6
(gdb) bt
#0  0xb7b3a0b6 in raise () from /lib/libc.so.6
#1  0xb7b3b841 in abort () from /lib/libc.so.6
#2  0xb7b7019b in __libc_message () from /lib/libc.so.6
#3  0xb7b75de2 in malloc_printerr () from /lib/libc.so.6
#4  0x08089bb8 in ch_free (ptr=0xb7c3aff4) at ch_malloc.c:139
#5  0x08119833 in check_password_quality (cred=0x2, pp=<value optimized out>,
err=0xb752becc, e=0x8285998) at ppolicy.c:650
#6  0x0811ac59 in ppolicy_modify (op=0x8285028, rs=0xb752c1c4) at
#7  0x080c7134 in overlay_op_walk (op=0x8285028, rs=0xb752c1c4, which=op_modify,
oi=0x822f488, on=0x822f578) at backover.c:498
#8  0x080c758d in over_op_func (op=0x8285028, rs=0xb752c1c4, which=op_modify) at
#9  0x080a117b in passwd_extop (op=0x8285028, rs=0xb752c1c4) at passwd.c:284
#10 0x0809f611 in fe_extended (op=0x8285028, rs=0xb752c1c4) at extended.c:215
#11 0x0809fb79 in do_extended (op=0x8285028, rs=0xb752c1c4) at extended.c:180
#12 0x08070589 in connection_operation (ctx=0xb752c238, arg_v=0x8285028) at
#13 0x08143ae3 in ldap_int_thread_pool_wrapper (xpool=0x820eb40) at tpool.c:478
#14 0xb7c43f8a in start_thread () from /lib/libpthread.so.0
#15 0xb752c480 in ?? ()
#16 0xb752c480 in ?? ()
#17 0xb752c480 in ?? ()
#18 0xb752c480 in ?? ()
#19 0x00000000 in ?? ()

Patch below fixes the issue.

Index: ppolicy.c
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/overlays/ppolicy.c,v
retrieving revision 1.98
diff -r1.98 ppolicy.c
<                                       free(txt);