[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7270) Double free in ldap_int_initialize
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7270) Double free in ldap_int_initialize
- From: hyc@symas.com
- Date: Wed, 30 May 2012 12:51:43 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
fdeweerdt@cloudmark.com wrote:
> Full_Name: Frederik Deweerdt
> Version: current HEAD
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/Frederik-Deweerdt-120511.patch
> Submission from: (NULL) (72.5.239.5)
>
>
> [PATCH] Protect accesses to ldap_int_hostname with a mutex
Thanks for the patch, now in git master.
>
>
> Not protecting the accesses to ldap_int_hostname would lead to a double
> free with the following trace:
>
> #7 0x0000003aca031d10 in abort () from /lib64/libc.so.6
> No symbol table info available.
> #8 0x0000003aca06a99b in __libc_message () from /lib64/libc.so.6
> No symbol table info available.
> #9 0x0000003aca0729d6 in free () from /lib64/libc.so.6
> No symbol table info available.
> #10 0x000000328902333e in ldap_int_initialize ()
> from /usr/lib64/libldap-2.3.so.0
> No symbol table info available.
> #11 0x000000328900c426 in ldap_create () from /usr/lib64/libldap-2.3.so.0
> No symbol table info available.
> #12 0x000000328900ca0d in ldap_init () from /usr/lib64/libldap-2.3.so.0
> No symbol table info available.
>
> The race in init.c:ldap_int_initialize is as follows:
> 646 char *name = ldap_int_hostname;
> 647
> 648 ldap_int_hostname = ldap_pvt_get_fqdn( name );
> 649
> 650 if ( name != NULL && name != ldap_int_hostname ) {
> 651 LDAP_FREE( name );
> 652 }
>
> - T1 and T2 enter ldap_int_initialize, both assign to name the current
> address of ldap_int_hostname, say 0x1234.
> - T1 and T2 call ldap_pvt_get_fqdn(), updating ldap_int_hostname to 0x1235
> and 0x1236 respectively.
> - T1 and T2 reach the name != ldap_int_hostname check. In both threads
> it's false, because 0x1235 != 0x1234 and 0x1236 != 0x1234, respectively.
> - T1 and T2 both try to free 0x1234 => Crash.
> ---
> libraries/libldap/init.c | 2 ++
> libraries/libldap/ldap-int.h | 1 +
> libraries/libldap/util-int.c | 3 +++
> 3 files changed, 6 insertions(+), 0 deletions(-)
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/