[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8592) Double free in sssvlv.c

Full_Name: Kevin
Version: 2.40
OS: Debian 7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

This bug was reported but still haven?t been fixed in recent version. See

When one of my outlook client sends an email with more than 300 recipients, the
slapd server crashes.

The problem is caused by double free_sort_op function called in sssvlv.c. In my
scenarios, the sssvlv_op_search function will call  free_sort_op at line 955.
However, the so pointer has already freed by the preivous free_sort_op call at
send_result function at line 706. I guess there is a chance  the so pointer can
be occupied at sssvlv_op_search before the send_result get completed.

Here is my gdb result:

I set two break points. One is free_sort_op and the other one is send_result. It
is clearly show that the free_sort_op was called twice . One is from send_result
and the other is sssvlv_op_search.

Breakpoint 2, send_result (op=op@entry=0x7fffdc0028e0,
rs=rs@entry=0x7fffea8baae0, so=so@entry=0x7fffdc002670)
    at sssvlv.c:682

58a52415 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at
396	in sssvlv.c

Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at
396	in sssvlv.c

Program received signal SIGABRT, Aborted.
0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) backtrace
#0  0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6629448 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff66661b4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff666b98e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007ffff666c696 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#5  0000007ffff4381abb in free_sort_op (so=0x7fffdc002670, conn=<optimized out>)
at sssvlv.c:406
#6  0x00007ffff43825ad in sssvlv_op_search (op=0x7fffd8000ae0,
rs=0x7fffe3ffeae0) at sssvlv.c:954
#7  0x00000000004a324a in overlay_op_walk ()
#8  0x00000000004a33b5 in ?? ()
#9  0x000000000043fa01 in fe_op_search ()
#10 0x000000000043f39c in do_search ()
#11 0x000000000043d1c5 in ?? ()

#12 0x000000000043d4ae in ?? ()
#13 0x0000000000527c18 in ?? ()
#14 0x00007ffff69a6064 in start_thread () from
#15 0x00007ffff66db62d in clone () from /lib/x86_64-linux-gnu/libc.so.6