[Issue 9879] New: Crash in bindconf_free

Thu, 07 Jul 2022 05:17:19 -0700 

https://bugs.openldap.org/show_bug.cgi?id=9879

          Issue ID: 9879
           Summary: Crash in bindconf_free
           Product: OpenLDAP
           Version: 2.6.2
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Slapd 2.6 (git commit 0dc9ff2594da) produes at start this output: free():
invalid pointer . The core-dump is:


gdb /git/openldap bt f                                              
#0  __pthread_kill_internal (signo=6, threadid=<optimized out>) at
pthread_kill.c:45                                                    
        pid = 3060261                                               
        tid = 3060261                                                           
        pd = <optimized out>
        val = 0
        tid = <optimized out>
        pd = <optimized out>
        val = <optimized out>
        sc_ret = <optimized out>
        resultvar = <optimized out>
        __x = <optimized out>
        pid = <optimized out>
        resultvar = <optimized out>
        __arg3 = <optimized out>
        __arg2 = <optimized out>
        __arg1 = <optimized out>
        _a3 = <optimized out>
        _a2 = <optimized out>
        _a1 = <optimized out>
#1  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at
pthread_kill.c:62
No locals.
#2  0x00007ff2445a91f2 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
        ret = <optimized out>
#3  0x00007ff24459443b in __GI_abort () at abort.c:79
        save_stage = 1
        act = {
          __sigaction_handler = {
            sa_handler = 0x7ff244e0b590,
            sa_sigaction = 0x7ff244e0b590
          },
          sa_mask = {
            __val = {140678513857256, 140678514176000, 0, 4360521566522441729,
4294967295, 17981341232831397889, 140678513857472, 
              140678514176000, 140678513858576, 140678514161728, 37835024,
140678514167232, 5433280, 140727718055568, 140727718055515, 
              140678514247725}
          },
          sa_flags = 1,
          sa_restorer = 0x0
        }
        sigs = {
          __val = {32, 1, 140678501620784, 1, 0, 1, 140678514176000, 1,
140678501620784, 140678514176000, 140678514176880, 0, 
            140678514389536, 1, 140677358813185, 4294967295}
        }
#4  0x00007ff2445e7c00 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ff2447185f4 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:155
        ap = {{
            gp_offset = 24,
            fp_offset = 0,
            overflow_arg_area = 0x7ffdb9a4f2e0,
            reg_save_area = 0x7ffdb9a4f270
          }}                                                                   
                                               [31/1957]
        fd = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
#5  0x00007ff2445fc64a in malloc_printerr (str=str@entry=0x7ff244716247
"free(): invalid pointer") at malloc.c:5543
No locals.
#6  0x00007ff2445fddbc in _int_free (av=<optimized out>, p=<optimized out>,
have_lock=0) at malloc.c:4326
        size = 0
        fb = <optimized out>
        nextchunk = <optimized out>
        nextsize = <optimized out>
        nextinuse = <optimized out>
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        __PRETTY_FUNCTION__ = "_int_free"
#7  0x00007ff244600821 in __GI___libc_free (mem=<optimized out>) at
malloc.c:3278
        ar_ptr = <optimized out>
        p = <optimized out>
        err = 13
#8  0x000000000041ab72 in bindconf_free (bc=bc@entry=0x52b970 <ldifocs+48>) at
config.c:1611
No locals.
#9  0x000000000046b908 in syncinfo_free (sie=0x52b940 <ldifocs>,
free_all=free_all@entry=1) at syncrepl.c:6052
        si_next = 0x4d8530
#10 0x0000000000429815 in backend_destroy_one (bd=0x52d8f0 <cfBackInfo+16>,
dynamic=0) at backend.c:456
No locals.
#11 0x000000000041651a in config_back_db_destroy (be=<optimized out>,
cr=<optimized out>) at bconfig.c:7610
        cfb = 0x52d8e0 <cfBackInfo>
#12 0x000000000042981d in backend_destroy_one (bd=0x2445920, dynamic=1) at
backend.c:459
No locals.
#13 0x000000000042993a in backend_destroy () at backend.c:498
        bd = <optimized out>
        bi = <optimized out>
#14 0x000000000043e04f in slap_destroy () at init.c:258
        rc = <optimized out>
#15 0x000000000040a12c in main (argc=<optimized out>, argv=0x7ffdb9a4f628) at
main.c:890
        i = <optimized out>
        no_detach = <optimized out>
        rc = 1
        urls = 0x7ffdb9a50e90 "ldap://ldap.aegee.org/ ldaps://ldap.aegee.org
ldapi://%2Fvar%2Frun%2Fldapi"
        username = 0x7ffdb9a50e60 "openldap"
        groupname = 0x0
        sandbox = 0x7ffdb9a50e6c "/home/openldap"
        pid = <optimized out>
        waitfds = {38815280, 0}
        g_argc = <optimized out>
        g_argv = 0x7ffdb9a4f628
        configfile = 0x0
        configdir = 0x7ffdb9a50e7e "/etc/openldap/"
        serverMode = 1
        scp = <optimized out>
        scp_entry = <optimized out>
        serverNamePrefix = <synthetic pointer>
        l = <optimized out>
        slapd_pid_file_unlink = <optimized out>
        slapd_args_file_unlink = <optimized out>
        firstopt = <optimized out>

Going back to commit 2cf617938 does work fine.


To be precise, openldap reads certificates from its chrooted file -
chr/etc/openssl/certs/ca-bundle.crt , but it had no read-access to the 
chr/etc/openssl/certs directory.  At commit 2cf617938 does not crash at the
latest 2.6 it crashes.

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to