[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8592) Double free in sssvlv.c

To: openldap-its@OpenLDAP.org
Subject: (ITS#8592) Double free in sssvlv.c
From: kevinanties@gmail.com
Date: Thu, 16 Feb 2017 05:06:06 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Kevin
Version: 2.40
OS: Debian 7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (218.188.214.98)


This bug was reported but still haven?t been fixed in recent version. See
(ITS#8368). 
Link:

http://www.openldap.org/lists/openldap-bugs/201602/msg00005.html
 
When one of my outlook client sends an email with more than 300 recipients, the
slapd server crashes.

The problem is caused by double free_sort_op function called in sssvlv.c. In my
scenarios, the sssvlv_op_search function will call  free_sort_op at line 955.
However, the so pointer has already freed by the preivous free_sort_op call at
send_result function at line 706. I guess there is a chance  the so pointer can
be occupied at sssvlv_op_search before the send_result get completed.

Here is my gdb result:

I set two break points. One is free_sort_op and the other one is send_result. It
is clearly show that the free_sort_op was called twice . One is from send_result
and the other is sssvlv_op_search.

Breakpoint 2, send_result (op=op@entry=0x7fffdc0028e0,
rs=rs@entry=0x7fffea8baae0, so=so@entry=0x7fffdc002670)
    at sssvlv.c:682

58a52415 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at
sssvlv.c:396
396	in sssvlv.c

Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at
sssvlv.c:396
396	in sssvlv.c

Program received signal SIGABRT, Aborted.
0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) backtrace
#0  0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6629448 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff66661b4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff666b98e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007ffff666c696 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#5  0000007ffff4381abb in free_sort_op (so=0x7fffdc002670, conn=<optimized out>)
at sssvlv.c:406
#6  0x00007ffff43825ad in sssvlv_op_search (op=0x7fffd8000ae0,
rs=0x7fffe3ffeae0) at sssvlv.c:954
#7  0x00000000004a324a in overlay_op_walk ()
#8  0x00000000004a33b5 in ?? ()
#9  0x000000000043fa01 in fe_op_search ()
#10 0x000000000043f39c in do_search ()
#11 0x000000000043d1c5 in ?? ()

#12 0x000000000043d4ae in ?? ()
#13 0x0000000000527c18 in ?? ()
#14 0x00007ffff69a6064 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#15 0x00007ffff66db62d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Prev by Date: (ITS#8591) segmentation fault when loading SampleLDAP.pl
Next by Date: (ITS#8593) test039 deadlocks
Index(es):
- Chronological
- Thread