Bug 717730 - memleak in tlsm_auth_cert_handler
Summary: memleak in tlsm_auth_cert_handler
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Jan Vcelak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 710372 712491 717738
TreeView+ depends on / blocked
 
Reported: 2011-06-29 17:38 UTC by Rich Megginson
Modified: 2013-03-04 01:29 UTC (History)
3 users (show)

Fixed In Version: openldap-2.4.24-5.fc15
Doc Type: Bug Fix
Doc Text:
- Any tool which uses both OpenLDAP and Mozilla NSS libraries. OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library. - The tool can fail on NSS_Shutdown function call, because the client certificate is not freed and the caches cannot be destroyed. - Peer certificate is freed in OpenLDAP library after certificate validation is finished. - All caches can be freed and NSS_Shutdown succeeds.
Clone Of:
: 717738 (view as bug list)
Environment:
Last Closed: 2011-07-20 15:18:06 UTC


Attachments (Terms of Use)

Description Rich Megginson 2011-06-29 17:38:39 UTC
Description of problem:
tlsm_auth_cert_handler calls SSL_PeerCertificate to get the peer's cert from the socket.  This cert must be freed with CERT_DestroyCertificate.

You can see this problem using valgrind with ldapsearch -ZZ.  You will see memory leaks like this:

==23056== 48 bytes in 1 blocks are possibly lost in loss record 45 of 110
==23056==    at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==23056==    by 0x30AF675479: nss_ZAlloc (arena.c:892)
==23056==    by 0x30AE601A8E: PL_HashTableRawAdd (plhash.c:265)
==23056==    by 0x30AF676C53: nssHash_Add (hash.c:259)
==23056==    by 0x30AF66C7C7: nssCertificateStore_FindOrAdd (pkistore.c:192)
==23056==    by 0x30AF6691B1: NSSCryptoContext_FindOrImportCertificate (cryptocontext.c:146)
==23056==    by 0x30AF664A17: CERT_NewTempCertificate (stanpcertdb.c:456)
==23056==    by 0x30B0212ED3: ssl3_HandleHandshakeMessage (ssl3con.c:7850)
==23056==    by 0x30B0213E2F: ssl3_HandleRecord (ssl3con.c:8727)
==23056==    by 0x30B02148CB: ssl3_GatherCompleteHandshake (ssl3gthr.c:209)
==23056==    by 0x30B0217168: ssl_GatherRecord1stHandshake (sslcon.c:1258)
==23056==    by 0x30B021CF14: ssl_Do1stHandshake (sslsecur.c:151)
==23056==    by 0x30B021E67E: SSL_ForceHandshake (sslsecur.c:407)
==23056==    by 0x30B32349E4: tlsm_session_accept_or_connect (tls_m.c:2350)
==23056==    by 0x30B3233571: ldap_int_tls_connect (tls2.c:366)
==23056==    by 0x30B32337DC: ldap_int_tls_start (tls2.c:833)
==23056==    by 0x30B323394D: ldap_start_tls_s (tls2.c:939)
==23056==    by 0x40B798: tool_conn_setup (common.c:1290)
==23056==    by 0x4069A7: main (ldapsearch.c:900)

In other applications that use Mozilla NSS, you will see errors in NSS_Shutdown and NSS_Initialize - NSS_Shutdown will fail because the cert objects are cached, and the cache cannot be freed because there is still an outstanding reference.

Comment 1 Rich Megginson 2011-06-29 17:39:24 UTC
Patch submitted upstream - http://www.openldap.org/its/index.cgi?findid=6980

Comment 2 Jan Vcelak 2011-07-20 11:03:58 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- Any tool which uses both OpenLDAP and Mozilla NSS libraries. OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library.
- The tool can fail on NSS_Shutdown function call, because the client certificate is not freed and the caches cannot be destroyed.
- Peer certificate is freed in OpenLDAP library after certificate validation is finished.
- All caches can be freed and NSS_Shutdown succeeds.

Comment 3 Jan Vcelak 2011-07-20 15:18:06 UTC
Resolved in openldap-2.4.26-1.fc16

Comment 4 Fedora Update System 2011-08-24 19:38:37 UTC
openldap-2.4.24-4.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/openldap-2.4.24-4.fc15

Comment 5 Fedora Update System 2011-09-12 19:01:42 UTC
openldap-2.4.24-5.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/openldap-2.4.24-5.fc15

Comment 6 Fedora Update System 2011-11-17 23:41:40 UTC
openldap-2.4.24-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.