From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041020
Description of problem:
I came across this problem while investigating a possible hack-around
for bug #143147 and I found a similar bug for RH7 (bug #66053, dating
back two and a half years and still new and uncommented).
This problem has several aspects, but I'll describe just one that
The call sasl_set_alloc() is used to set allocation routines instead
of the default. The ldap client libraries use this to replace the
default allocation routines with the allocation routines used by,
among other things, the lber routines.
If server that uses SASL for authentication, say, calls attempts to
use the ldap routines while in the midst of a SASL authentication
sequence it will crash. This is not only easy to achieve, it's
practically unavoidable. If you have a SASL_CB_CANON_USER callback
that looks up the user in an LDAP directory then the SASL allocation
routines will change half way through the SASL authentication
sequence. It's not so much the malloc(), calloc() and realloc()
routines changing under your feet as the free() routine changing.
Once the ldap routines have called and the SASL conversation finishes
and starts freeing up allocated storage. Well, I don't have to paint
a picture do I? Sooner or later storage allocated with malloc() is
going to be freed with the lber free routine. Boom!
Version-Release number of selected component (if applicable):
Steps to Reproduce:
See description. It's not guaranteed to crash every time, but
valgrind usually spots the corruption.
Actual Results: Core dump, often.
Expected Results: The cyrus-sasl sasl_set_alloc() and
sasl_set_mutex() routines (and, I think, some of the hooks used
internally) are not re-entrant so nested implicit calls will tend to
produce unexpected and sometimes disasterous results. See above.
There is a deeply unpleasnt workaround for this. In the particular
case above I simply saved _sasl_allocation_utils (a cyrus-sasl private
variable) while I made the ldap calls and restored is afterwards.
This workaround is OK for cyrus-sasl-1 and cyrus-sasl-2 and even a
combination :-) Finding the right workaround, however, requires a
detailed source-level analysis of the application, cyrus-sasl and the
openldap client libraries. With other combinations you'll need a
similar lengthy analysis.
The proper fix for this is is to have a new SASL context (in addition
to the client or server authentication context) to hold all this
global data. This can be made a backwards compatible change so that
the existing sasl routines use a default global context and new ones
take a context as an extra parameter. Code can be migrated to the
new interface as and when needed or convenient.
It's a bit of a mess though.
At this point, we do not plan to fix this RHEL3 bug