[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7270) Double free in ldap_int_initialize



Full_Name: Frederik Deweerdt
Version: current HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Frederik-Deweerdt-120511.patch
Submission from: (NULL) (72.5.239.5)


[PATCH]  Protect accesses to ldap_int_hostname with a mutex


Not protecting the accesses to ldap_int_hostname would lead to a double
free with the following trace:

	#7  0x0000003aca031d10 in abort () from /lib64/libc.so.6
	No symbol table info available.
	#8  0x0000003aca06a99b in __libc_message () from /lib64/libc.so.6
	No symbol table info available.
	#9  0x0000003aca0729d6 in free () from /lib64/libc.so.6
	No symbol table info available.
	#10 0x000000328902333e in ldap_int_initialize ()
	   from /usr/lib64/libldap-2.3.so.0
	No symbol table info available.
	#11 0x000000328900c426 in ldap_create () from /usr/lib64/libldap-2.3.so.0
	No symbol table info available.
	#12 0x000000328900ca0d in ldap_init () from /usr/lib64/libldap-2.3.so.0
	No symbol table info available.

The race in init.c:ldap_int_initialize is as follows:
646                 char    *name = ldap_int_hostname;
647
648                 ldap_int_hostname = ldap_pvt_get_fqdn( name );
649
650                 if ( name != NULL && name != ldap_int_hostname ) {
651                         LDAP_FREE( name );
652                 }

- T1 and T2 enter ldap_int_initialize, both assign to name the current
address of ldap_int_hostname, say 0x1234.
- T1 and T2 call ldap_pvt_get_fqdn(), updating ldap_int_hostname to 0x1235
and 0x1236 respectively.
- T1 and T2 reach the name != ldap_int_hostname check. In both threads
it's false, because 0x1235 != 0x1234 and 0x1236 != 0x1234, respectively.
- T1 and T2 both try to free 0x1234 => Crash.
---
 libraries/libldap/init.c     |    2 ++
 libraries/libldap/ldap-int.h |    1 +
 libraries/libldap/util-int.c |    3 +++
 3 files changed, 6 insertions(+), 0 deletions(-)