[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6755) ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8

To: openldap-its@OpenLDAP.org
Subject: (ITS#6755) ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8
From: jgilmour@techsmog.com
Date: Thu, 30 Dec 2010 19:18:19 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Josh Gilmour
Version: ldapsearch 2.3.43 (Nov 29 2010 03:47:14)
OS: CentOS release 5.4 32bit
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (38.112.23.58)


I get a segfault when using the following command and applying a filter file. If
we remove the -f, the command runs properly. It doesn't seem to be a major
security issue (or one at all, I'm not sure), but it does seem to be a bug I
believe...

the file i'm using for the -f parameter, 'testing', just has the letter 'a' in
it.

Here is the process output from gdb:

[jgilmour@xijgilmour ~]$ gdb ldapsearch
GNU gdb Fedora (6.8-37.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(no debugging symbols found)
(gdb) r -x -LLL -h xxx.local -D "xxx@xxx.local" -E pr=1/noprompt -w password -b
"OU=xxx,dc=xxx,dc=local" -S sAMAccountName -f testing
Starting program: /usr/bin/ldapsearch -x -LLL -h xxx.local -D "xxx@xxx.local" -E
pr=1/noprompt -w password -b "OU=xxx,dc=xxx,dc=local" -S sAMAccountName -f
testing
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
dn: OU=xxx,DC=xxx,DC=LOCAL
objectClass: top
objectClass: organizationalUnit
ou: xxx
distinguishedName: OU=xxx,DC=xxx,DC=LOCAL
instanceType: 4
whenCreated: 20050103174000.0Z
whenChanged: 20081117191042.0Z
uSNCreated: 12371
uSNChanged: 6388825
name: xxx
objectGUID:: qjRiugCNd0eXyrXkHlETpA==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=xxx,D
 C=LOCAL
dSCorePropagationData: 20080818221029.0Z
dSCorePropagationData: 20080628202026.0Z
dSCorePropagationData: 20070611215308.0Z
dSCorePropagationData: 20070611213209.0Z
dSCorePropagationData: 16010714223649.0Z

*** glibc detected *** /usr/bin/ldapsearch: double free or corruption (!prev):
0x086a35f8 ***

Program received signal SIGSEGV, Segmentation fault.
0x00c67a3f in _int_malloc () from /lib/i686/nosegneg/libc.so.6
(gdb) i r
eax            0x169    361
ecx            0xd43170 13906288
edx            0x86a35f0        141178352
ebx            0xd41ff4 13901812
esp            0xbf9a7078       0xbf9a7078
ebp            0xbf9a713c       0xbf9a713c
esi            0x168    360
edi            0xb7fdb000       -1208111104
eip            0xc67a3f 0xc67a3f <_int_malloc+703>
eflags         0x210283 [ CF SF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) bt
#0  0x00c67a3f in _int_malloc () from /lib/i686/nosegneg/libc.so.6
#1  0x00c69a1e in malloc () from /lib/i686/nosegneg/libc.so.6
#2  0x00235998 in _dl_map_object () from /lib/ld-linux.so.2
#3  0x0023ead1 in dl_open_worker () from /lib/ld-linux.so.2
#4  0x0023ae66 in _dl_catch_error () from /lib/ld-linux.so.2
#5  0x0023e4b2 in _dl_open () from /lib/ld-linux.so.2
#6  0x00d08072 in do_dlopen () from /lib/i686/nosegneg/libc.so.6
#7  0x0023ae66 in _dl_catch_error () from /lib/ld-linux.so.2
#8  0x00d08225 in __libc_dlopen_mode () from /lib/i686/nosegneg/libc.so.6
#9  0x00ce44d9 in init () from /lib/i686/nosegneg/libc.so.6
#10 0x00ce4673 in backtrace () from /lib/i686/nosegneg/libc.so.6
#11 0x00c5ee51 in __libc_message () from /lib/i686/nosegneg/libc.so.6
#12 0x00c671d5 in _int_free () from /lib/i686/nosegneg/libc.so.6
#13 0x00c67619 in free () from /lib/i686/nosegneg/libc.so.6
#14 0x00c55756 in fclose@@GLIBC_2.1 () from /lib/i686/nosegneg/libc.so.6
#15 0x0804ca88 in ?? ()
#16 0x00c12e9c in __libc_start_main () from /lib/i686/nosegneg/libc.so.6
#17 0x0804a3f1 in ?? ()
(gdb) q
The program is running.  Exit anyway? (y or n) y
[jgilmour@xijgilmour ~]$ uname -a
Linux xijgilmour.xxx.local 2.6.18-164.11.1.el5xen #1 SMP Wed Jan 20 08:53:10 EST
2010 i686 i686 i386 GNU/Linux

Prev by Date: (ITS#6754) slapd ignores extra command-line arguments
Next by Date: (ITS#6756) ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8
Index(es):
- Chronological
- Thread