[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7270) Double free in ldap_int_initialize

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7270) Double free in ldap_int_initialize
From: hyc@symas.com
Date: Wed, 30 May 2012 12:51:43 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

fdeweerdt@cloudmark.com wrote:
> Full_Name: Frederik Deweerdt
> Version: current HEAD
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/Frederik-Deweerdt-120511.patch
> Submission from: (NULL) (72.5.239.5)
>
>
> [PATCH]  Protect accesses to ldap_int_hostname with a mutex

Thanks for the patch, now in git master.
>
>
> Not protecting the accesses to ldap_int_hostname would lead to a double
> free with the following trace:
>
> 	#7  0x0000003aca031d10 in abort () from /lib64/libc.so.6
> 	No symbol table info available.
> 	#8  0x0000003aca06a99b in __libc_message () from /lib64/libc.so.6
> 	No symbol table info available.
> 	#9  0x0000003aca0729d6 in free () from /lib64/libc.so.6
> 	No symbol table info available.
> 	#10 0x000000328902333e in ldap_int_initialize ()
> 	   from /usr/lib64/libldap-2.3.so.0
> 	No symbol table info available.
> 	#11 0x000000328900c426 in ldap_create () from /usr/lib64/libldap-2.3.so.0
> 	No symbol table info available.
> 	#12 0x000000328900ca0d in ldap_init () from /usr/lib64/libldap-2.3.so.0
> 	No symbol table info available.
>
> The race in init.c:ldap_int_initialize is as follows:
> 646                 char    *name = ldap_int_hostname;
> 647
> 648                 ldap_int_hostname = ldap_pvt_get_fqdn( name );
> 649
> 650                 if ( name != NULL && name != ldap_int_hostname ) {
> 651                         LDAP_FREE( name );
> 652                 }
>
> - T1 and T2 enter ldap_int_initialize, both assign to name the current
> address of ldap_int_hostname, say 0x1234.
> - T1 and T2 call ldap_pvt_get_fqdn(), updating ldap_int_hostname to 0x1235
> and 0x1236 respectively.
> - T1 and T2 reach the name != ldap_int_hostname check. In both threads
> it's false, because 0x1235 != 0x1234 and 0x1236 != 0x1234, respectively.
> - T1 and T2 both try to free 0x1234 => Crash.
> ---
>   libraries/libldap/init.c     |    2 ++
>   libraries/libldap/ldap-int.h |    1 +
>   libraries/libldap/util-int.c |    3 +++
>   3 files changed, 6 insertions(+), 0 deletions(-)
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7283) Usage of private headers make building out-of-tree extensions painful
Next by Date: Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
Index(es):
- Chronological
- Thread