Closed i-rinat closed 7 years ago
One can verify that there was a use-after-free by compiling nginx with nginx-auth-ldap module having NGX_DEBUG_PALLOC=1
macro definition. That will make every pool allocation to be actually a separate call to malloc, allowing use of Valgrind.
Then, configure a single LDAP backend, run Nginx (single process mode, preferably) under Valgrind. Then make a request with an authorization, wait for timeout. Then make request one more time. On the second time, you should be able to see use-after-free event from Valgrind.
Issues #143, #104, #56, and #33 all look related. There are either crashes in functions that use server->waiting_requests
or very similar condition — crashing when LDAP backend is not online.
The patch addresses a possible crash in case of non-working LDAP server.
At the moment, if request context gets into
server->waiting_requests
queue, it can be read inngx_http_auth_ldap_get_connection()
after context memory is freed, because it is still in the queue after request was timed out.