[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd crash ( malformed packet ) (ITS#1803)
Full_Name: Kervin Pierre
Version: CVS 05MAY02
OS: rh7.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (65.186.68.157)
Manage to crash slapd by sending a LDAP packet with attributes that have no
values. The crash seems to occur within the free() for the last attribute, in
my case 'description'.
Here is part of the server output ( different run from gdb stack below), with
MALLOC_CHECK_=1. free() warns of an invalid pointer
...
do_add: dn (cn=tester,dc=my-domain,dc=com)
ber_scanf fmt ({m{W}}) ber:
no values for type description
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
send_ldap_result: conn=8 op=1 p=3
send_ldap_result: err=2 matched="" text="no values for attribute type"
send_ldap_response: msgid=2 tag=105 err=2
ber_flush: 42 bytes to sd 13
conn=8 op=1 RESULT tag=105 err=2 text=no values for attribute type
free(): invalid pointer 0x820e132!
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=8
connection_read(13): checking for input on id=8
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_unbind
...
(gdb) bt f
#0 chunk_free (ar_ptr=0x40387620, p=0x8214de2) at malloc.c:3180
hd = 184815408
sz = 184815408
idx = 136400354
next = 0x13255d12
nextsz = 136400354
prevsz = 184815408
bck = 0x0
fwd = 0x13255d12
islr = 1077449044
sz = 184815408
next = 0x13255d12
bck = 0x0
islr = 1077449044
#1 0x402d3bf4 in __libc_free (mem=0x8214dea) at malloc.c:3154
mem = (void *) 0x13255d12
ar_ptr = (arena *) 0x40387620
p = 0x8214de2
hook = (void (*)()) 0xb040f30
#2 0x080e1d98 in ber_memfree (p=0x8214dea) at memory.c:143
p = (void *) 0x13255d12
#3 0x0807ee7e in ch_free (ptr=0x8214dea) at ch_malloc.c:125
No locals.
#4 0x08070516 in do_add (conn=0x404c0e0c, op=0x8214e20) at add.c:140
mod = (Modifications *) 0xb040f30
rtag = 184815408
ber = (BerElement *) 0x8214c00
last = 0x8214e18 "\b9!\b\201"
dn = {bv_len = 29, bv_val = 0x8214dc7 "cn=tester,dc=my-domain,dc=com"}
len = 15
tag = 184815408
e = (Entry *) 0x8214ed8
be = (Backend *) 0x8214c00
modlist = (Modifications *) 0x0
modtail = (Modifications **) 0x40905938
tmp = {sml_mod = {sm_op = 136400544, sm_desc = 0x81aced4, sm_type =
{bv_len = 11, bv_val = 0x8214dea "description"},
sm_bvalues = 0x0}, sml_next = 0xffffffff}
text = 0x0
rc = 2
manageDSAit = 184815408
#5 0x0806c09b in connection_operation (arg_v=0x8214ea0) at connection.c:963
rc = 135974612
arg = (struct co_arg *) 0x8214ea0
tag = 104
oldtag = 104
conn = (Connection *) 0x404c0e0c
#6 0x080c5b39 in ldap_int_thread_pool_wrapper (xpool=0x81aced0) at tpool.c:401
pool = (struct ldap_int_thread_pool_s *) 0x81aced0
ctx = (ldap_int_thread_ctx_t *) 0x820d370
#7 0x40244b9c in pthread_start_thread (arg=0x40905be0) at manager.c:274
self = 0x40905be0
request = {req_thread = 0x0, req_kind = REQ_CREATE, req_args = {create =
{attr = 0x0, fn = 0, arg = 0x0, mask = {
__val = {0 <repeats 32 times>}}}, free = {thread_id = 0}, exit = {code =
0}, post = 0x0}}
outcome = (void *) 0xb040f30