[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8755) invalid file descriptor when closing tls connection

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8755) invalid file descriptor when closing tls connection
From: ondra@mistotebe.net
Date: Mon, 13 May 2019 15:32:19 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Thu, Oct 12, 2017 at 10:01:35PM +0000, info@christianknueppel.de wrote:
> I currently developing on a c software which is using Openldap with TLS
> authentication. My software is working fine, but when i test it with valgrind, i
> always get an invalid file descriptor when closing the connection.
> 
> Here is the stacktrace from valgrind:
> [...]
> --> In function ldap_close_handle i call ldap_unbind_ext_s(ld, NULL, NULL).
> 
> The connection is built with ldap_initialize(&ld, config.ldap_url) and
> ldap_start_tls_s(ld, NULL, NULL). Options set with ldap_set_option() are
> LDAP_OPT_X_TLS_REQUIRE_CERT to 2 (LDAP_OPT_X_TLS_DEMAND) and
> LDAP_OPT_X_TLS_CACERTFILE are set to all SSL CA-Certificates
> (/etc/ssl/certs/ca-certificates.crt). I run the ldap_unbind_ext_s command (for
> test purpose) shortly after the start_tls command is finished.
> When i use ldap_sasl_interactive_bind_s with DIGEST-MD5 instead of
> ldap_start_tls_s, the warning doesn't appear. When i use both, tls and sasl, the
> warning also appears.
> 
> My computer running on Ubuntu 16.04.3 LTS (uname: 4.4.0-97-generic x86_64) with
> libldap-2.4-2 (2.4.42+dfsg-2ubuntu3.2) and libgnutls30 (3.4.10-4ubuntu1.4). I
> also tested it with the newest Ubuntu Artful Aardvark and the newest openldap
> (2.4.45+dfsg-1ubuntu1) and gnutls(3.5.8-6ubuntu3) release, but it didn't has any
> effect in my case.
> 
> I also tryed to compiled openldap against openssl to see, if it might be a
> gnutls bug, but the invalid file descriptor occurs again. The lower valgrind
> stacktrace is done with openldap 2.4.45 and openssl 1.0.2g on the newest Artful
> Aardvark 17.10.
> [...]

Yes, it looks like the main SockBuf closing is run twice, once in
ldap_free_connection and once directly in ldap_ld_free. I think we don't
enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so
not sure yet if we can gate calling sb_close on that or something else.

I'll see if there's a way to make this work better.

-- 
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: Re: (ITS#8799) slaptest fails to properly convert chain configuration
Next by Date: Re: (ITS#9008) module rpath incorrect
Index(es):
- Chronological
- Thread