Bug 717730

Summary: memleak in tlsm_auth_cert_handler
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: jvcelak, rmeggins, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.24-5.fc15 Doc Type: Bug Fix
Doc Text:
- Any tool which uses both OpenLDAP and Mozilla NSS libraries. OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library. - The tool can fail on NSS_Shutdown function call, because the client certificate is not freed and the caches cannot be destroyed. - Peer certificate is freed in OpenLDAP library after certificate validation is finished. - All caches can be freed and NSS_Shutdown succeeds.
Story Points: ---
Clone Of:
: 717738 (view as bug list) Environment:
Last Closed: 2011-07-20 15:18:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 710372, 712491, 717738    

Description Rich Megginson 2011-06-29 17:38:39 UTC
Description of problem:
tlsm_auth_cert_handler calls SSL_PeerCertificate to get the peer's cert from the socket.  This cert must be freed with CERT_DestroyCertificate.

You can see this problem using valgrind with ldapsearch -ZZ.  You will see memory leaks like this:

==23056== 48 bytes in 1 blocks are possibly lost in loss record 45 of 110
==23056==    at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==23056==    by 0x30AF675479: nss_ZAlloc (arena.c:892)
==23056==    by 0x30AE601A8E: PL_HashTableRawAdd (plhash.c:265)
==23056==    by 0x30AF676C53: nssHash_Add (hash.c:259)
==23056==    by 0x30AF66C7C7: nssCertificateStore_FindOrAdd (pkistore.c:192)
==23056==    by 0x30AF6691B1: NSSCryptoContext_FindOrImportCertificate (cryptocontext.c:146)
==23056==    by 0x30AF664A17: CERT_NewTempCertificate (stanpcertdb.c:456)
==23056==    by 0x30B0212ED3: ssl3_HandleHandshakeMessage (ssl3con.c:7850)
==23056==    by 0x30B0213E2F: ssl3_HandleRecord (ssl3con.c:8727)
==23056==    by 0x30B02148CB: ssl3_GatherCompleteHandshake (ssl3gthr.c:209)
==23056==    by 0x30B0217168: ssl_GatherRecord1stHandshake (sslcon.c:1258)
==23056==    by 0x30B021CF14: ssl_Do1stHandshake (sslsecur.c:151)
==23056==    by 0x30B021E67E: SSL_ForceHandshake (sslsecur.c:407)
==23056==    by 0x30B32349E4: tlsm_session_accept_or_connect (tls_m.c:2350)
==23056==    by 0x30B3233571: ldap_int_tls_connect (tls2.c:366)
==23056==    by 0x30B32337DC: ldap_int_tls_start (tls2.c:833)
==23056==    by 0x30B323394D: ldap_start_tls_s (tls2.c:939)
==23056==    by 0x40B798: tool_conn_setup (common.c:1290)
==23056==    by 0x4069A7: main (ldapsearch.c:900)

In other applications that use Mozilla NSS, you will see errors in NSS_Shutdown and NSS_Initialize - NSS_Shutdown will fail because the cert objects are cached, and the cache cannot be freed because there is still an outstanding reference.

Comment 1 Rich Megginson 2011-06-29 17:39:24 UTC
Patch submitted upstream - http://www.openldap.org/its/index.cgi?findid=6980

Comment 2 Jan Vcelak 2011-07-20 11:03:58 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- Any tool which uses both OpenLDAP and Mozilla NSS libraries. OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library.
- The tool can fail on NSS_Shutdown function call, because the client certificate is not freed and the caches cannot be destroyed.
- Peer certificate is freed in OpenLDAP library after certificate validation is finished.
- All caches can be freed and NSS_Shutdown succeeds.

Comment 3 Jan Vcelak 2011-07-20 15:18:06 UTC
Resolved in openldap-2.4.26-1.fc16

Comment 4 Fedora Update System 2011-08-24 19:38:37 UTC
openldap-2.4.24-4.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/openldap-2.4.24-4.fc15

Comment 5 Fedora Update System 2011-09-12 19:01:42 UTC
openldap-2.4.24-5.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/openldap-2.4.24-5.fc15

Comment 6 Fedora Update System 2011-11-17 23:41:40 UTC
openldap-2.4.24-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.