Re: (ITS#5525) libldap causes a core dump due to accessing freed memory

Friday, 23 May 2008

paul(a)mad-scientist.us wrote:
...
 Full_Name: Paul Smith
 Version: 2.4.7
 OS: Ubuntu 8.04
 URL:
 Submission from: (NULL) (65.78.30.67) 
...
 If you check ldap_free_connection() you'll see that it removes
the LDAPConn
 pointer "lc" from the list of connections before it is freed.

 BUT!  The ldap_free_connection() function never does anything with the
 ld->ld_defconn pointer, so if the connection we just freed is the one pointed to
 by ld->ld_defconn, it is now pointing to freed memory.  And that causes the
 problem detected above by valgrind, or causing an assert later on: accessing
 freed memory.

 I'm not really sure what the right thing to do here is, or I'd provide a patch.
 Should we set ld_defconn to NULL?  Is that ever a valid state?  Or should we
 just pick another connection from the list (and what if there isn't one?) 
A fix is now in HEAD, please test. The solution sets ld_defconn to NULL, and 
also closes ld->ld_sb if necessary. In that case, ldap_send_initial_request 
will create a new defconn before calling ldap_send_server_request.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006