[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7270) Double free in ldap_int_initialize
Full_Name: Frederik Deweerdt
Version: current HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Frederik-Deweerdt-120511.patch
Submission from: (NULL) (72.5.239.5)
[PATCH] Protect accesses to ldap_int_hostname with a mutex
Not protecting the accesses to ldap_int_hostname would lead to a double
free with the following trace:
#7 0x0000003aca031d10 in abort () from /lib64/libc.so.6
No symbol table info available.
#8 0x0000003aca06a99b in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#9 0x0000003aca0729d6 in free () from /lib64/libc.so.6
No symbol table info available.
#10 0x000000328902333e in ldap_int_initialize ()
from /usr/lib64/libldap-2.3.so.0
No symbol table info available.
#11 0x000000328900c426 in ldap_create () from /usr/lib64/libldap-2.3.so.0
No symbol table info available.
#12 0x000000328900ca0d in ldap_init () from /usr/lib64/libldap-2.3.so.0
No symbol table info available.
The race in init.c:ldap_int_initialize is as follows:
646 char *name = ldap_int_hostname;
647
648 ldap_int_hostname = ldap_pvt_get_fqdn( name );
649
650 if ( name != NULL && name != ldap_int_hostname ) {
651 LDAP_FREE( name );
652 }
- T1 and T2 enter ldap_int_initialize, both assign to name the current
address of ldap_int_hostname, say 0x1234.
- T1 and T2 call ldap_pvt_get_fqdn(), updating ldap_int_hostname to 0x1235
and 0x1236 respectively.
- T1 and T2 reach the name != ldap_int_hostname check. In both threads
it's false, because 0x1235 != 0x1234 and 0x1236 != 0x1234, respectively.
- T1 and T2 both try to free 0x1234 => Crash.
---
libraries/libldap/init.c | 2 ++
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/util-int.c | 3 +++
3 files changed, 6 insertions(+), 0 deletions(-)