fdeweerdt@cloudmark.com wrote:
Full_Name: Frederik Deweerdt Version: current HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/Frederik-Deweerdt-120511.patch Submission from: (NULL) (72.5.239.5)
[PATCH] Protect accesses to ldap_int_hostname with a mutex
Thanks for the patch, now in git master.
Not protecting the accesses to ldap_int_hostname would lead to a double free with the following trace:
#7 0x0000003aca031d10 in abort () from /lib64/libc.so.6 No symbol table info available. #8 0x0000003aca06a99b in __libc_message () from /lib64/libc.so.6 No symbol table info available. #9 0x0000003aca0729d6 in free () from /lib64/libc.so.6 No symbol table info available. #10 0x000000328902333e in ldap_int_initialize () from /usr/lib64/libldap-2.3.so.0 No symbol table info available. #11 0x000000328900c426 in ldap_create () from /usr/lib64/libldap-2.3.so.0 No symbol table info available. #12 0x000000328900ca0d in ldap_init () from /usr/lib64/libldap-2.3.so.0 No symbol table info available.
The race in init.c:ldap_int_initialize is as follows: 646 char *name = ldap_int_hostname; 647 648 ldap_int_hostname = ldap_pvt_get_fqdn( name ); 649 650 if ( name != NULL && name != ldap_int_hostname ) { 651 LDAP_FREE( name ); 652 }
- T1 and T2 enter ldap_int_initialize, both assign to name the current
address of ldap_int_hostname, say 0x1234.
- T1 and T2 call ldap_pvt_get_fqdn(), updating ldap_int_hostname to 0x1235
and 0x1236 respectively.
- T1 and T2 reach the name != ldap_int_hostname check. In both threads
it's false, because 0x1235 != 0x1234 and 0x1236 != 0x1234, respectively.
- T1 and T2 both try to free 0x1234 => Crash.
libraries/libldap/init.c | 2 ++ libraries/libldap/ldap-int.h | 1 + libraries/libldap/util-int.c | 3 +++ 3 files changed, 6 insertions(+), 0 deletions(-)