https://bugs.openldap.org/show_bug.cgi?id=9458
Issue ID: 9458 Summary: undefined behavior and possible crash in connection_init() Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: grapvar@gmail.com Target Milestone: ---
ITS#9112 (Howard Chu, 2019-10-28, "cleaner error handling...") introduces the following code in
servers/slapd/connection.c`connection_init():
if( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_SET_NONBLOCK, c ) < 0 ) { Debug( "connection_init(%d, %s): set nonblocking failed\n", ... ); ... ber_sockbuf_free( c->c_sb ); c->c_sb = NULL; ... return NULL; }
If [Connection c] has already been initialized and "set nonblocking failed", then nullified c->c_sb crashes slapd on next connect on the same file descriptor:
Assertion failed: sb != NULL, file ../../../libraries/ liblber/sockbuf.c, line 180, function ber_sockbuf_add_io
The above is true for both 2.4 and 2.5/master branches.
For branch 2.4 this code (commit 934055a11b) additionally causes undefined behavior for uninitialized [Connection c], because of re-initialization of already initialized mutexes and cv's:
if( doinit ) { c->c_send_ldap_result = slap_send_ldap_result; ... ldap_pvt_thread_mutex_init( &c->c_mutex ); ldap_pvt_thread_mutex_init( &c->c_write1_mutex ); ldap_pvt_thread_mutex_init( &c->c_write2_mutex ); ldap_pvt_thread_cond_init( &c->c_write1_cv ); ldap_pvt_thread_cond_init( &c->c_write2_cv ); ... }
https://bugs.openldap.org/show_bug.cgi?id=9458
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #1 from Howard Chu hyc@openldap.org --- (In reply to Konstantin Andreev from comment #0)
ITS#9112 (Howard Chu, 2019-10-28, "cleaner error handling...") introduces the following code in
Thanks for the report. Fixed in git master, RE24.
In practice this doesn't ever happen; notice that the original ITS only occurred due to a bug in the Heimdal libraries.
servers/slapd/connection.c`connection_init():
if( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_SET_NONBLOCK, c ) < 0 ) { Debug( "connection_init(%d, %s): set nonblocking failed\n", ... ); ... ber_sockbuf_free( c->c_sb ); c->c_sb = NULL; ... return NULL; }
If [Connection c] has already been initialized and "set nonblocking failed", then nullified c->c_sb crashes slapd on next connect on the same file descriptor:
Assertion failed: sb != NULL, file ../../../libraries/ liblber/sockbuf.c, line 180, function ber_sockbuf_add_io
The above is true for both 2.4 and 2.5/master branches.
For branch 2.4 this code (commit 934055a11b) additionally causes undefined behavior for uninitialized [Connection c], because of re-initialization of already initialized mutexes and cv's:
if( doinit ) { c->c_send_ldap_result = slap_send_ldap_result; ... ldap_pvt_thread_mutex_init( &c->c_mutex ); ldap_pvt_thread_mutex_init( &c->c_write1_mutex ); ldap_pvt_thread_mutex_init( &c->c_write2_mutex ); ldap_pvt_thread_cond_init( &c->c_write1_cv ); ldap_pvt_thread_cond_init( &c->c_write2_cv ); ... }
https://bugs.openldap.org/show_bug.cgi?id=9458
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.2
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- trunk:
Commits: • e5bd309f by Howard Chu at 2021-02-08T00:46:58+00:00 ITS#9458 must alloc new conn->c_sb after freeing old one
RE24:
Commits: • e5bd309f by Howard Chu at 2021-02-08T00:46:58+00:00 ITS#9458 must alloc new conn->c_sb after freeing old one
https://bugs.openldap.org/show_bug.cgi?id=9458
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED Target Milestone|2.5.2 |2.5.1
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- RE25:
commit e5bd309fb28ece8020003eb4ee07fd0ead3f8231 Author: Howard Chu hyc@openldap.org Date: Mon Feb 8 00:46:58 2021 +0000
ITS#9458 must alloc new conn->c_sb after freeing old one
https://bugs.openldap.org/show_bug.cgi?id=9458
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org