[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8566) OpenLDAP client API SASL auth memory leak

Full_Name: Bill Clay
Version: 2.4.44
OS: Debian/GNU Linux 7.8 (Wheezy)
Submission from: (NULL) (

Valgrind runs of a testbed script driving an OpenLDAP API client module I am
developing appear to show a consistent, reproducible memory leak ("lost memory")
when using the SASL default authentication mech (DIGEST-MD5 for my system) over
any underlying transport: ldapi://, ldap://, ldaps://.  The first two transports
show identical symptoms with or without startTLS prior to authentication.

Additional test and symptom details:

* Using the same testbed and client module and either SASL mech EXTERNAL or LDAP
simple bind, valgrind indicates no lost memory.

* Symptoms are constant with or without proxy authz (i.e., a SASL interactive
callback SASL_CB_USER response).

* I have not configured or tested other SASL mechs in this environment.

* The FIRST SASL authentication of a process does NOT show a memory leak.

* Each SASL authentication of a process AFTER the first shows a one additional
realloc leak of the same size (500-600 bytes depending on bind details).

* The iterative test is: [ldap_initialize()], [ldap_start_tls_s()],
ldap_sasl_interactive_bind_s(), [ldap_search_ext_s()], [ldap_whoami_s()],
[ldap_unbind_ext_s()], where [] indicates calls whose omission yields no change
in symptoms (except initialize is always called for the first iteration of a
sequence and after an unbind; unbind is always called after the last


Debian 7 Wheezy

OpenLDAP v. 2.4.44 original (not Debian) source custom build: 
./configure --sysconfdir=/etc --localstedirir=/ \
 --disable-backends --enable-mdb --enable-monitor \
 --enable-crypt --enable-cleartext \
 --with-cyrus-sasl --enable-spasswd --enable-syslog --enable-local \
 --disable-overlays --enable-memberof --enable-refint --enable-unique \
 --disable-modules --with-tls --with-threads --with-gnu-ld

Sample valgrind output (the call stack is always the same, except for exact

valgrind --leak-check=full /usr/local/src/altit-sso/lf-ldap/mldap_full_test.lua
==4149== Memcheck, a memory error detector
==4149== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==4149== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==4149== Command: /usr/local/src/altit-sso/lf-ldap/mldap_full_test.lua
create cctx regkey 556aeaf3c864af2e_mldap_connection, cctx=0699c028, stack 0
1	1	SASL bind uid %2p%p/w
enter mldap_bind(), regkey=556aeaf3c864af2e_mldap_connection, cctx=0x699c028
mldap_bind call ldap_initialize("ldap://fuji.pvt.suresys.com";)
mldap_bind after ldap_bind(0x699cac0), cctx=0x699c028

< snip - 8 iterations removed >

10	1	SASL bind uid + p/w
enter mldap_bind(), regkey=556aeaf3c864af2e_mldap_connection, cctx=0x699c028
mldap_bind after ldap_bind(0x699cac0), cctx=0x699c028

unbind cctx->ldp=0x699cac0
exit unbind
normal termination, 10 iterations
enter mldap_gc(); cctx->ldp=0
exit mldap_gc()
==4149== HEAP SUMMARY:
==4149==     in use at exit: 45,614 bytes in 334 blocks
==4149==   total heap usage: 3,543 allocs, 3,209 frees, 169,733,045 bytes
==4149== 4,896 bytes in 9 blocks are definitely lost in loss record 122 of 124
==4149==    at 0x4C28CCE: realloc (vg_replace_malloc.c:632)
==4149==    by 0x7712426: _plug_buf_alloc (in
==4149==    by 0x770C232: add_to_challenge (in
==4149==    by 0x770E689: make_client_response (in
==4149==    by 0x770EC97: digestmd5_client_mech_step (in
==4149==    by 0x5CD03AD: sasl_client_step (in
==4149==    by 0x5CD08DA: sasl_client_start (in
==4149==    by 0x405386E: ldap_int_sasl_bind (cyrus.c:510)
==4149==    by 0x4056E5F: ldap_sasl_interactive_bind (sasl.c:487)
==4149==    by 0x405702B: ldap_sasl_interactive_bind_s (sasl.c:521)
==4149==    by 0x4027663: mldap_bind (mldap.c:647)
==4149==    by 0x408C31: luaD_precall (in /usr/bin/lua5.2)
==4149== LEAK SUMMARY:
==4149==    definitely lost: 4,896 bytes in 9 blocks
==4149==    indirectly lost: 0 bytes in 0 blocks
==4149==      possibly lost: 0 bytes in 0 blocks
==4149==    still reachable: 40,718 bytes in 325 blocks
==4149==         suppressed: 0 bytes in 0 blocks
==4149== Reachable blocks (those to which a pointer was found) are not shown.D%D
==4149== To see them, rerun with: --leak-check=full --show-reachable=yes
==4149== For counts of detected and suppressed errors, rerun with: -v
==4149== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 31 from 7)