807363 – openldap libraries leak memory when following referrals

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 807363 - openldap libraries leak memory when following referrals

Summary: openldap libraries leak memory when following referrals

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Vcelak
QA Contact:	David Spurek
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	808064 (view as bug list)
Depends On:
Blocks:	859016
TreeView+	depends on / blocked

Reported:	2012-03-27 15:30 UTC by Jakub Hrozek
Modified:	2015-03-02 05:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openldap-2.4.23-22.el6
Doc Type:	Bug Fix
Doc Text:	- remote LDAP server responds with referral to a client query, referral chasing is enabled in the library - library leaks memory - upstream patch applied - the library no longer causes memory leak when chasing a referral
Clone Of:
Clones:	859016 (view as bug list)
Environment:
Last Closed:	2012-06-20 07:32:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0899	0	normal	SHIPPED_LIVE	Low: openldap security and bug fix update	2012-06-19 19:28:37 UTC

Description Jakub Hrozek 2012-03-27 15:30:33 UTC

Description of problem:
When the openldap library chases referrals, it leaks memory. This is a problem especially for long-running deamons such as the SSSD and even more so when running in an environment that makes heavy use of referrals, for example Microsoft Active Directory. In those environments, the memory leak reach to the point where SSSD has to be restarted once upon a time to reclaim lost memory.

Version-Release number of selected component (if applicable):
openldap-2.4.23-20.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. configure a server that uses referrals
2. look up an entry that triggers referral chasing
  
Actual results:
a memory leak

Expected results:
no memory leak

Additional info:
We are using the ldap_set_rebind_proc() function in SSSD.

This is how valgrind reports the memory leak:

==5618== 58 (32 direct, 26 indirect) bytes in 1 blocks are definitely lost in loss record 94 of 391
==5618==    at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==5618==    by 0x3A3F408113: ber_memcalloc_x (memory.c:283)
==5618==    by 0x3A41C14393: ldap_control_create (controls.c:490)
==5618==    by 0xC7045DA: sss_ldap_control_create (sss_ldap.c:68)
==5618==    by 0xC7BF09F: sdap_rebind_proc (sdap_async_connection.c:1727)
==5618==    by 0x3A41C225ED: ldap_new_connection (request.c:564)
==5618==    by 0x3A41C233F1: ldap_send_server_request (request.c:249)
==5618==    by 0x3A41C242D2: ldap_chase_v3referrals (request.c:1255)
==5618==    by 0x3A41C11803: wait4msg (result.c:728)
==5618==    by 0xC785705: sdap_process_result (sdap_async.c:179)
==5618==    by 0xC785329: sdap_ldap_result (sdap_async.c:152)
==5618==    by 0x3A32406A67: std_event_loop_once (tevent_standard.c:326)

Also see the upstream sssd bug #1251 - https://fedorahosted.org/sssd/ticket/1251

Comment 1 Jakub Hrozek 2012-03-27 15:31:40 UTC

I was also able to reproduce on F-16 with openldap-2.4.26-6. Would you like me to test on some newer release, too?

Comment 3 Jan Vcelak 2012-03-27 16:54:08 UTC

(In reply to comment #1)
> I was also able to reproduce on F-16 with openldap-2.4.26-6. Would you like me
> to test on some newer release, too?

Not necessary. It seems that this part of the code was not changed.

Comment 4 Jan Vcelak 2012-03-27 17:03:13 UTC

Jakub originally sent me this backtrace, it looks like another leak:

==13700== 987,424 (4,720 direct, 982,704 indirect) bytes in 59 blocks are definitely lost in loss record 564 of 564
==13700==    at 0x40053B3: calloc (vg_replace_malloc.c:467)
==13700==    by 0xCBBD00: ber_memcalloc_x (in /lib/liblber-2.4.so.2.5.6)
==13700==    by 0x12249F: ldap_send_server_request (in /lib/libldap-2.4.so.2.5.6)
==13700==    by 0x123323: ldap_chase_v3referrals (in /lib/libldap-2.4.so.2.5.6)
==13700==    by 0x10D4EB: ldap_result (in /lib/libldap-2.4.so.2.5.6)
==13700==    by 0x485E262: ??? (in /usr/lib/sssd/libsss_ldap.so.1.0.0)
==13700==    by 0xB74262: ??? (in /usr/lib/libtevent.so.0.9.8)
==13700==    by 0xB70F17: _tevent_loop_once (in /usr/lib/libtevent.so.0.9.8)
==13700==    by 0xB70FAE: ??? (in /usr/lib/libtevent.so.0.9.8)
==13700==    by 0xB70C88: _tevent_loop_wait (in /usr/lib/libtevent.so.0.9.8)
==13700==    by 0x8080D1C: server_loop (in /usr/libexec/sssd/sssd_be)
==13700==    by 0x8055BB8: main (in /usr/libexec/sssd/sssd_be)

I'm not sure if this is caused by a bug in OpenLDAP or by not freeing some result in SSSD. I will investigate.

Comment 5 Jakub Hrozek 2012-04-05 15:33:24 UTC

(In reply to comment #4)
> Jakub originally sent me this backtrace, it looks like another leak:
> 
> ==13700== 987,424 (4,720 direct, 982,704 indirect) bytes in 59 blocks are
> definitely lost in loss record 564 of 564
> ==13700==    at 0x40053B3: calloc (vg_replace_malloc.c:467)
> ==13700==    by 0xCBBD00: ber_memcalloc_x (in /lib/liblber-2.4.so.2.5.6)
> ==13700==    by 0x12249F: ldap_send_server_request (in
> /lib/libldap-2.4.so.2.5.6)
> ==13700==    by 0x123323: ldap_chase_v3referrals (in /lib/libldap-2.4.so.2.5.6)
> ==13700==    by 0x10D4EB: ldap_result (in /lib/libldap-2.4.so.2.5.6)
> ==13700==    by 0x485E262: ??? (in /usr/lib/sssd/libsss_ldap.so.1.0.0)
> ==13700==    by 0xB74262: ??? (in /usr/lib/libtevent.so.0.9.8)
> ==13700==    by 0xB70F17: _tevent_loop_once (in /usr/lib/libtevent.so.0.9.8)
> ==13700==    by 0xB70FAE: ??? (in /usr/lib/libtevent.so.0.9.8)
> ==13700==    by 0xB70C88: _tevent_loop_wait (in /usr/lib/libtevent.so.0.9.8)
> ==13700==    by 0x8080D1C: server_loop (in /usr/libexec/sssd/sssd_be)
> ==13700==    by 0x8055BB8: main (in /usr/libexec/sssd/sssd_be)
> 

Yes this original leak came from the customer who was using Active Directory. The leak I included in the opening comment was what I reproduces with 389DS.

Comment 7 Stephen Gallagher 2012-04-09 11:33:16 UTC

*** Bug 808064 has been marked as a duplicate of this bug. ***

Comment 10 Jan Vcelak 2012-04-10 10:51:49 UTC

Upstream report:
http://www.openldap.org/its/index.cgi?findid=6744

Upstream fix (applies cleanly):
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=518dd3a

Comment 16 Jakub Hrozek 2012-04-10 13:48:02 UTC

You are right, I've got a patch for this leak.

The test packages you gave me fix the memory leak while following referrals. Can we get it into 6.3?

Comment 18 Jan Vcelak 2012-04-10 19:31:52 UTC

Fixed in openldap-2.4.23-22.el6

Comment 19 Jan Vcelak 2012-04-10 19:37:12 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- remote LDAP server responds with referral to a client query, referral chasing is enabled in the library
- library leaks memory
- upstream patch applied
- the library no longer causes memory leak when chasing a referral

Comment 22 errata-xmlrpc 2012-06-20 07:32:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0899.html

Note You need to log in before you can comment on or make changes to this bug.