(ITS#4852) back-perl/str2entry odd interaction

Full_Name: Pierangelo Masarati Version: HEAD/re23 OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.72.89.40) Submitted by: ando

Malformed perl can cause a double free in str2entry2(). Steps to reproduce: from back-perl's "search" routine, generate a malformed entry that begins with "dn : ..." ends with "...\n\t".

Backtrace (from HEAD; similar in re23) follows:

(gdb) bt #0 0x003957a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x003d57a5 in raise () from /lib/tls/libc.so.6 #2 0x003d7209 in abort () from /lib/tls/libc.so.6 #3 0x0040971a in __libc_message () from /lib/tls/libc.so.6 #4 0x0040ffbf in _int_free () from /lib/tls/libc.so.6 #5 0x0041033a in free () from /lib/tls/libc.so.6 #6 0x08226022 in ber_memfree_x (p=0x84e5960, ctx=0x0) at memory.c:149 #7 0x080a11fe in ch_free (ptr=0x84e5960) at ch_malloc.c:139 #8 0x0808d12a in str2entry2 (s=0x0, checkvals=1) at entry.c:374 #9 0x0808c1a0 in str2entry (s=0x84e5838 "dn") at entry.c:100 #10 0x0813c7c8 in perl_back_search (op=0x84e50f8, rs=0xb78f01c8) at search.c:78 #11 0x080846f4 in fe_op_search (op=0x84e50f8, rs=0xb78f01c8) at search.c:374 #12 0x08084078 in do_search (op=0x84e50f8, rs=0xb78f01c8) at search.c:217 #13 0x08081083 in connection_operation (ctx=0xb78f02a4, arg_v=0x84e50f8) at connection.c:1129 #14 0x08081550 in connection_read_thread (ctx=0xb78f02a4, argv=0x9) at connection.c:1257 #15 0x081f38d4 in ldap_int_thread_pool_wrapper (xpool=0x8364c08) at tpool.c:704 #16 0x00692371 in start_thread () from /lib/tls/libpthread.so.0 #17 0x00475ffe in clone () from /lib/tls/libc.so.6