chris.w.martin@oracle.com wrote:

Full_Name: Chris Martin Version: 2.4.23-32.el6_4.1 but also present in git repository version OS: Oracle Linux 6 URL: Submission from: (NULL) (148.87.19.206)

If tlsm_ctx_free is entered with ctx->tc_pin_file null it will crash when it calls PL_strfree with that null pointer.

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/l... 2039 static void 2040 tlsm_ctx_free ( tls_ctx *ctx ) 2041 { ... 2069 PL_strfree( c->tc_pin_file )

I propose that an "if ( c->tc_pin_file )" be added before this line to protect against this.

The specific use case when we hit this involves automount calling openldap ldap_start_tls_s which fails with LDAP_CONNECT_ERROR. automount then calls openldap ldap_unbind_ext which calls ldap_ld_free which calls ldap_int_tls_destroy which triggers this crash above.

Thanks for the report. This is now fixed in git master, plus another potential instance of the same issue.

You guys are crazy to even be using this MozNSS POS.