[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd segfaults during SASL/GSSAPI bind




I've gotton several slapd core files where slap has segfaulted during a GSSAPI bind.
Unfortunately I can't make slapd core. But the stack trace always looks the same:


(gdb) bt
#0 0xb7f3a410 in ?? ()
#1 0xad328d28 in ?? ()
#2 0x00000006 in ?? ()
#3 0x000056ae in ?? ()
#4 0xb7c0b041 in *__GI_raise (sig=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#5 0xb7c0c7d7 in *__GI_abort () at ../sysdeps/generic/abort.c:88
#6 0xb7c3e4ce in __libc_message (do_abort=2,
fmt=0xb7cee5c0 "*** glibc detected *** %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:145
#7 0xb7c48196 in malloc_printerr (action=2, str=0x0, ptr=0x0) at malloc.c:5525
#8 0xb7c46e9d in _int_free (av=0xb7cfb820, mem=0x97bf77a4) at malloc.c:4235
#9 0xb7c45bfb in *__GI___libc_free (mem=0x97bf77a4) at malloc.c:3404
#10 0x0807ad56 in ch_free (ptr=0x97bf77a4) at ch_malloc.c:139
#11 0x080a5b86 in slap_sasl_authorize (sconn=0x945e1d48, context=0xad72f228,
requested_user=0x945e2658 "tjsm@UMICH.EDU", rlen=14,
auth_identity=0x945e2759 "tjsm@UMICH.EDU", alen=14,
def_realm=0x96849538 "UMICH.EDU", urlen=9, props=0x0) at sasl.c:673
#12 0xb7e73ba3 in do_authorization (s_conn=0x945e1d48) at server.c:1163
#13 0xb7e73d18 in sasl_server_step (conn=0x945e1d48,
clientin=0xa8ec5716 "`?\006\t*\206H\206?\022\001\002\002\002\001 \004",
clientinlen=0, serverout=0xad329114, serveroutlen=0x56ae) at server.c:1420
#14 0x080a6984 in slap_sasl_bind (op=0x7683c860, rs=0xad329240) at sasl.c:1399
#15 0x0807d06a in fe_op_bind (op=0x7683c860, rs=0xad329240) at bind.c: 276
#16 0x0807c873 in do_bind (op=0x7683c860, rs=0xad329240) at bind.c:200
#17 0x08061a8f in connection_operation (ctx=0x0, arg_v=0x7683c860)
at connection.c:1132
#18 0x08116168 in ldap_int_thread_pool_wrapper (xpool=0x81cd520) at tpool.c:478
#19 0xb7e54c6b in start_thread (arg=0xad329bb0) at pthread_create.c:261
#20 0xb7c9ad9e in clone () from /lib/libc.so.6


It looks to me that slap_sasl_authorize is freeing someting that has already been freed
namely context->c_sasl_dn.


Here is the context structure:

(gdb) p *(Connection *) context
$5 = {c_struct_state = 2, c_conn_state = 3, c_conn_idx = 46,
c_close_reason = 0x81446c5 "?", c_mutex = {__data = {__lock = 0,
__count = 0, __owner = 0, __kind = 0, __nusers = 0, __spins = 0},
__size = '\0' <repeats 23 times>, __align = 0}, c_sb = 0x9efce118,
c_starttime = 1175269483, c_activitytime = 1175269483, c_connid = 4957353,
c_peer_domain = {bv_len = 7, bv_val = 0xa5863d98 "unknown"}, c_peer_name = {
bv_len = 22, bv_val = 0xa368c190 "IP=141.211.14.17:58013"},
c_listener = 0x81c02c8, c_sasl_bind_in_progress = 1, c_sasl_bind_mech = {
bv_len = 6, bv_val = 0x8435bbc0 "GSSAPI"}, c_sasl_dn = {bv_len = 35,
bv_val = 0x97bf77a4 "hasSubordinates1\a\004 \005FALSESESESEALSEALSEEALSEALSEavin,ou=People,dc=umich,dc=edu\004% uid=jleasia,ou=People,dc=umich,dc=edu\004 $uid=ktexas,ou=People,dc=umich,dc=edu\004! uid=lmp,ou=People,dc=umich,dc=edu\004%uid=philr"...}, c_sasl_authz_dn = {bv_len = 0, bv_val = 0x0},
c_authz_backend = 0x81e6dc8, c_authz_cookie = 0x0, c_authz = {
sai_method = 128, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {
bv_len = 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0},
sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 0},
c_protocol = 3, c_ops = {stqh_first = 0x7683c860, stqh_last = 0x7683c92c},
c_pending_ops = {stqh_first = 0x0, stqh_last = 0xad72f2d0}, c_write_mutex = {
__data = {__lock = 0, __count = 0, __owner = 0, __kind = 0, __nusers = 0,
__spins = 0}, __size = '\0' <repeats 23 times>, __align = 0},
c_write_cv = {__data = {__lock = 0, __futex = 1782, __total_seq = 891,
__wakeup_seq = 891, __woken_seq = 891, __mutex = 0xad72f238,
__nwaiters = 0, __broadcast_seq = 0},
__size = "\000\000\000\000?\006\000\000{\003\000\000\000\000\000 \000{\003\000\000\000\000\000\000{\003\000\000\000\000\000\0008?r?", '\0' <repeats 11 times>, __align = 7653631721472}, c_currentber = 0x968f5370, c_writewaiter = 0,
c_is_tls = 0, c_needs_tls_accept = 0, c_sasl_layers = 0, c_sasl_done = 0,
c_sasl_authctx = 0x945e1d48, c_sasl_sockctx = 0x0,
c_sasl_extra = 0x927e6f80, c_sasl_bindop = 0x7683c860,
c_pagedresults_state = {ps_be = 0x0, ps_size = 0, ps_cookie = 0,
ps_count = 0}, c_n_ops_received = 4, c_n_ops_executing = 1,
c_n_ops_pending = 0, c_n_ops_completed = 3, c_n_get = 4, c_n_read = 4,
c_n_write = 0, c_pb = 0x0, c_extensions = 0x0, c_clientfunc = 0,
c_clientarg = 0x0, c_send_ldap_result = 0x806fb10 <slap_send_ldap_result>,
c_send_search_entry = 0x80714a0 <slap_send_search_entry>,
c_send_search_reference = 0x80705d0 <slap_send_search_reference>,
c_send_ldap_extended = 0x8070290 <slap_send_ldap_extended>,
c_send_ldap_intermediate = 0x8070440 <slap_send_ldap_intermediate>}


Current environment:
openldap-2.3.32
cyrus sasl 2.1.21
heimdal 0.6.6
linux  from source - kernal 2.6.18

Any ideas?