Segfault in openldap while using ldaps #6676
Comments
|
I can reproduce with 24f850f on OpenBSD-current |
|
I did some investigation on it and it turns out that the following line tries to access an item from a NULL pointer: struct ldapconninfo *li = conn->proto.ldapc;The problem is that conn (data->conn) is NULL. However data itself is set, just not conn. I might find time to write a patch for it this weekend but I can't promise anything. Will post more updates regarding it soon. |
I chased this down too and IMHO it's not as simple as it looks: See #6518 (comment), #6446 (comment) and f2f91ac. |
|
Okay I spent some time this morning inspecting it but I see myself unable to do it unfortunately. The problem is indeed much bigger |
|
@bagder : thanks for fix. This effectively suppresses the segfault, but I wonder if the way it's done would'nt close the connection prematurely with regards to the LDAP protocol. I did not check, but the unbindRequest is probably not transmitted. |
|
(This doesn't just suppress the segfault, it fixes the function to use the correct pointer and only use it if it is (still) valid.) That's a slightly different but possibly still important issue: since the connection is already gone when The only proper way we can get this in order is to introduce an LDAP test server to the test suite and a few tests to make sure that curl speaks the protocol correctly. Easier said than done. |
It seems you set the pointer to NULL: in ldap_disconnect:
I already dreamed of it: that's another story! |
Yes, because when we disconnect LDAP there is no longer any transfer associated to it... |
Sure, but we're still having a (dummy?) I had good results trying the following method:
Hacky-tricky, but it seems to work. I can provide a PR if you like it. |
But I was slightly wrong. The connection is actually still associated with the transfer when diff --git a/lib/openldap.c b/lib/openldap.c
index 066c0fd73..c80ac8b07 100644
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -369,11 +369,11 @@ static CURLcode ldap_disconnect(struct Curl_easy *data,
if(li) {
if(li->ld) {
Sockbuf *sb;
ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb);
- ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, NULL);
+ ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data);
ldap_unbind_ext(li->ld, NULL, NULL);
li->ld = NULL;
}
conn->proto.ldapc = NULL;
free(li); |
|
see #6787 |
|
I tried that alone, but it does not work, since data->conn is NULL. |
|
For the original |
|
Yes, you're right. I just tried #6787 with removals of null tests in tls io functions and it works. I think we've finally got it. Thanks. |
I did this
curl -k --cert-type P12 --cert mycert.p12:password 'ldaps://localhost/?supportedSASLMechanisms?base?(objectclass=*)'After correct output, curl segfaults while in
ldap_unbind_extcalled byldap_disconnect.This is the
ldapsb_tlsproblem we shortly discussed at #6518 (comment) and is related to theconn->dataremoval.I expected the following
Clean termination
curl/libcurl version
curl 7.76.0-DEV (x86_64-pc-linux-gnu) libcurl/7.76.0-DEV OpenSSL/1.1.1i-fips zlib/1.2.11 brotli/1.0.9 zstd/1.4.7 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) iconv libssh/0.9.5/openssl/zlib nghttp2/1.43.0 librtmp/2.3 libgsasl/1.8.1
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli CharConv Debug gsasl GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP TrackMemory UnixSockets zstd
operating system
Linux patrick.monnerat 5.10.18-200.fc33.x86_64 #1 SMP Tue Feb 23 22:06:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: