Bug 1796558 - Memory leak in ACI using IP subject
Summary: Memory leak in ACI using IP subject
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.8
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: thierry bordaz
QA Contact: RHDS QE
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1788833 1803052 1862172
TreeView+ depends on / blocked
 
Reported: 2020-01-30 17:12 UTC by thierry bordaz
Modified: 2021-08-27 22:38 UTC (History)
7 users (show)

Fixed In Version: 389-ds-base-1.3.10.2-1.el7
Doc Type: Bug Fix
Doc Text:
.A memory leak has been fixed in Directory Server when using `ip` binding rules in an ACI with IPv6 The Access Control Instruction (ACI) context in Directory Server is attached to a connection and contains a structure for both the IPv4 and IPv6 protocol. Previously, when a client closed a connection, Directory Server removed the only IPv4 structure and the context. As a consequence, if an administrator configured an ACI with `ip` binding rule, Directory Server leaked memory of the IPv6 structure. With this update, the server frees both the IPv4 and IPv6 structures at the end of a connection. As a result, Directory Server no longer leaks memory in the mentioned scenario.
Clone Of:
: 1803052 1862172 (view as bug list)
Environment:
Last Closed: 2020-09-29 19:46:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 3911 0 None closed Memory leak in ACI using IP subject 2020-10-07 07:46:10 UTC
Red Hat Product Errata RHBA-2020:3894 0 None None None 2020-09-29 19:48:24 UTC

Description thierry bordaz 2020-01-30 17:12:47 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/50857

#### Issue Description
The leak is detected with ASAN build running dirsrvtests/tests/suites/acl/keywords_*


#### Package Version and Platform
All versions


#### Steps to reproduce

1. install ASAN build 
2. run dirsrvtests/tests/suites/acl/keywords_*
3.

#### Actual results

    =================================================================
    ==13615==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 88 byte(s) in 1 object(s) allocated from:
        #0 0x7f53ae6ecb78 in __interceptor_malloc (/lib64/libasan.so.5+0xefb78)
        #1 0x7f539f36783e in INTsystem_malloc_perm (/usr/lib64/dirsrv/libns-dshttpd-1.4.2.4.so+0x5983e)
        #2 0x7f539f350563 in LASIpTreeAllocNode lib/libaccess/lasip.cpp:181
        #3 0x7f539f3520fb in LASIpAddPatternIPv6 lib/libaccess/lasip.cpp:649
        #4 0x7f539f3520fb in LASIpBuild lib/libaccess/lasip.cpp:335
        #5 0x7f539f3520fb in LASIpEval lib/libaccess/lasip.cpp:531
        #6 0x7f539f3556d5 in ACLEvalAce(NSErr_s*, ACLEvalHandle*, ACLExprHandle*, unsigned long*, PListStruct_s**, PListStruct_s*) lib/libaccess/oneeval.cpp:215
        #7 0x7f539f357400 in ACL_INTEvalTestRights lib/libaccess/oneeval.cpp:752
        #8 0x7f539f35852d in ACL_EvalTestRights (/usr/lib64/dirsrv/libns-dshttpd-1.4.2.4.so+0x4a52d)
        #9 0x7f539f5c7e81 in acl__TestRights ldap/servers/plugins/acl/acl.c:3289
        #10 0x7f539f5d14ce in acl_access_allowed (/usr/lib64/dirsrv/plugins/libacl-plugin.so+0x224ce)
        #11 0x7f539f6049bb in acl_access_allowed_main ldap/servers/plugins/acl/aclplugin.c:371
        #12 0x7f53ae24ffea in plugin_call_acl_plugin (/usr/lib64/dirsrv/libslapd.so.0+0x1c3fea)
        #13 0x7f53ae250d7d in slapi_access_allowed (/usr/lib64/dirsrv/libslapd.so.0+0x1c4d7d)
        #14 0x7f539f5d4859 in acl_check_mods (/usr/lib64/dirsrv/plugins/libacl-plugin.so+0x25859)
        #15 0x7f53ae250252 in plugin_call_acl_mods_access (/usr/lib64/dirsrv/libslapd.so.0+0x1c4252)
        #16 0x7f539bc01f0e in ldbm_back_modify ldap/servers/slapd/back-ldbm/ldbm_modify.c:616
        #17 0x7f53ae20aa53 in op_shared_modify ldap/servers/slapd/modify.c:1021
        #18 0x7f53ae20ea0b in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x182a0b)
        #19 0x56130fb60e3d in connection_dispatch_operation ldap/servers/slapd/connection.c:638
        #20 0x56130fb60e3d in connection_threadmain ldap/servers/slapd/connection.c:1767
        #21 0x7f53aba54567  (/lib64/libnspr4.so+0x2b567)  


#### Expected results
Should not leak

Comment 2 thierry bordaz 2020-02-03 09:54:36 UTC
Fix pushed upstream (master, 1.4.2, 1.4.1, 1.4.0, 1.3.10) => POST

Comment 3 thierry bordaz 2020-02-07 10:26:36 UTC
An other BZ/ticket also fixes another ACI/IP leak: https://bugzilla.redhat.com/show_bug.cgi?id=1769418 / https://pagure.io/389-ds-base/issue/50709

Comment 8 Viktor Ashirov 2020-03-20 13:01:28 UTC
============================================================== test session starts ===============================================================
platform linux -- Python 3.6.8, pytest-5.4.1, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-3.10.0-1127.el7.x86_64-x86_64-with-redhat-7.8-Maipo', 'Packages': {'pytest': '5.4.1', 'py': '1.8.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.8.0', 'html': '2.1.1'}}
389-ds-base: 1.3.10.2-1.1asan.el7
nss: 3.44.0-7.el7_7
nspr: 4.21.0-1.el7
openldap: 2.4.44-21.el7_6
cyrus-sasl: 2.1.26-23.el7
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, inifile: pytest.ini
plugins: metadata-1.8.0, html-2.1.1
collected 57 items

dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_access_from_certain_network_only_ip PASSED                                       [  1%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_connectin_from_an_unauthorized_network PASSED                                    [  3%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_ip_keyword_test_noip_cannot PASSED                                               [  5%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_user_can_access_the_data_at_any_time PASSED                                      [  7%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_user_can_access_the_data_only_in_the_morning PASSED                              [  8%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_user_can_access_the_data_only_in_the_afternoon PASSED                            [ 10%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_timeofday_keyword PASSED                                                         [ 12%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_dayofweek_keyword_test_everyday_can_access PASSED                                [ 14%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_dayofweek_keyword_today_can_access PASSED                                        [ 15%]
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_user_cannot_access_the_data_at_all PASSED                                        [ 17%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_binds_with_a_password_and_can_access_the_data PASSED                              [ 19%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_binds_with_a_bad_password_and_cannot_access_the_data PASSED                       [ 21%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_anonymous_user_cannot_access_the_data PASSED                                           [ 22%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_authenticated_but_has_no_rigth_on_the_data PASSED                                      [ 24%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_the_bind_client_is_accessing_the_directory PASSED                                      [ 26%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_users_binds_with_a_password_and_can_access_the_data PASSED                             [ 28%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_binds_without_any_password_and_cannot_access_the_data PASSED                      [ 29%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_can_access_the_data_when_connecting_from_any_machine PASSED                       [ 31%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_can_access_the_data_when_connecting_from_internal_ds_network_only PASSED          [ 33%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_can_access_the_data_when_connecting_from_some_network_only PASSED                 [ 35%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_from_an_unauthorized_network PASSED                                                    [ 36%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2 PASSED      [ 38%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_cannot_access_the_data_if_not_from_a_certain_domain PASSED                        [ 40%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_dnsalias_keyword_test_nodns_cannot PASSED                                              [ 42%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_can_access_from_ipv4_or_ipv6_address[127.0.0.1] PASSED                            [ 43%]
dirsrvtests/tests/suites/acl/keywords_test.py::test_user_can_access_from_ipv4_or_ipv6_address[[::1]] PASSED                                [ 45%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_success[6-5] PASSED                                              [ 47%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_success[5-5] PASSED                                              [ 49%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_success[5-25] PASSED                                             [ 50%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_limits_fail[50-200-cn=config,cn=ldbm database,cn=plugins,cn=config-nsslapd-idlistscanlimit-100-UNWILLING_TO_PERFORM] PASSED [ 52%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_limits_fail[5-15-cn=config-nsslapd-timelimit-20-UNAVAILABLE_CRITICAL_EXTENSION] PASSED [ 54%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_limits_fail[21-50-cn=config-nsslapd-sizelimit-20-SIZELIMIT_EXCEEDED] PASSED [ 56%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_limits_fail[21-50-cn=config-nsslapd-pagedsizelimit-5-SIZELIMIT_EXCEEDED] PASSED [ 57%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_limits_fail[5-50-cn=config,cn=ldbm database,cn=plugins,cn=config-nsslapd-lookthroughlimit-20-ADMINLIMIT_EXCEEDED] PASSED [ 59%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_sort_success PASSED                                              [ 61%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_abandon PASSED                                                   [ 63%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_with_timelimit PASSED                                            [ 64%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_dns_ip_aci[dns = "localhost.localdomain"] PASSED                 [ 66%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_dns_ip_aci[ip = "127.0.0.1"] PASSED                              [ 68%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_multiple_paging PASSED                                           [ 70%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_invalid_cookie[1000] PASSED                                      [ 71%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_invalid_cookie[-1] PASSED                                        [ 73%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_abandon_with_zero_size PASSED                                    [ 75%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_pagedsizelimit_success PASSED                                    [ 77%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_nspagedsizelimit[5-15-PASS] PASSED                               [ 78%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_nspagedsizelimit[15-5-SIZELIMIT_EXCEEDED] PASSED                 [ 80%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_paged_limits[conf_attr_values0-ADMINLIMIT_EXCEEDED] PASSED       [ 82%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_paged_limits[conf_attr_values1-PASS] PASSED                      [ 84%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_paged_user_limits[conf_attr_values0-ADMINLIMIT_EXCEEDED] PASSED  [ 85%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_search_paged_user_limits[conf_attr_values1-PASS] PASSED                 [ 87%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_ger_basic PASSED                                                        [ 89%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_multi_suffix_search PASSED                                              [ 91%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_maxsimplepaged_per_conn_success[None] PASSED                            [ 92%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_maxsimplepaged_per_conn_success[-1] PASSED                              [ 94%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_maxsimplepaged_per_conn_success[1000] PASSED                            [ 96%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_maxsimplepaged_per_conn_failure[0] PASSED                               [ 98%]
dirsrvtests/tests/suites/paged_results/paged_results_test.py::test_maxsimplepaged_per_conn_failure[1] PASSED                               [100%]

================================================== 57 passed, 13 warnings in 187.34s (0:03:07) ===================================================


Automated tests pass, no memory leak (described in this bugzilla) found.
Marking as VERIFIED.

Comment 16 errata-xmlrpc 2020-09-29 19:46:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3894


Note You need to log in before you can comment on or make changes to this bug.