Ticket #1066 (new defect)

Opened 1 year ago

Last modified 8 months ago

mod_auth leaks ldap connections

Reported by: yann@pleiades.fr.eu.org Assigned to: jan
Priority: normal Milestone: 1.4.20
Component: mod_auth Version: 1.4.13
Severity: major Keywords:
Cc: Blocking:
Need Feedback: 0

Description

It seems lighttpd mod_auth leaks a ldap connection to the ldap server each time a request is made. I had this problem loading a page with 600 images protected with ldap auth, lighttpd overloaded my ldap server with too many ldap connections.

I traced the problem and discovered that the ldap anonymous connection (used to find the dn) is opened on each connection in the http_auth_basic_password_compare function (http_auth.c) and is never closed.

It should be opened once and saved in p->conf.ldap but p->conf.ldap is reset to 0 before http_auth_basic_password_compare is called in the mod_auth_patch_connection function at the following line:

PATCH(ldap);

Looking at the code, from what I understand, p->conf.x is usually initialised when mod_auth is loaded, with a pointer to the structure or a string that will contains the data, and the plugin functions modify the data but not the pointer.

But for p->conf.ldap, the pointer is modified by http_auth_basic_password_compare and so it is lost between each call.

Shouldn't the type of p->conf.ldap be (LDAP**) rather that (LDAP*) and initalised when the plugin is loaded ?

Tell me if I am wrong, I didn't propose a patch because I am not sure I really understood the code yet.

Attachments

ldap_leak_bugfix.patch (6.2 kB) - added by yann@pleiades.fr.eu.org on 03/03/2007 12:50:37 PM.
Proposed patch to solve this bug

Change History

03/03/2007 12:50:37 PM changed by yann@pleiades.fr.eu.org

  • attachment ldap_leak_bugfix.patch added.

Proposed patch to solve this bug

03/03/2007 12:53:37 PM changed by yann@pleiades.fr.eu.org

I attached a patch which solve the bug by making p->conf.ldap a pointer to a structure containing the ldap connection to the server and the pre and post filter.

The ldap connection is stored is p->conf.ldap->ldap and is not lost between each call.

07/30/2007 08:34:48 AM changed by gbjk

I believe we have hit this problem too, but with symptoms. Our ldap server started hitting a max files open error. This would happen every three days or so, apparently after a build up of leaked files. We added an idletimeout to the ldap server and instead lighttpd started to crash every few hours. The lighttpd version is 1.4.13.

The logs would show no signs of distress or errors. It would just disappear, and monit would start it back up again.

This would happen after a bout of images, too. I think the thing about images is the speed with which they are requested.

08/18/2007 10:05:02 PM changed by anonymous

  • blocking changed.
  • pending changed.
  • milestone set to 1.4.17.

11/10/2007 08:00:14 AM changed by dev-zero

  • severity changed from normal to major.

And version 1.5.x is also affected. Together with a security enabled linux kernel, this is really dangerous since the limits are enforced: Meaning that when lighttpd hits the number of 1024 or 2048 open file descriptors, further connections are being denied. And even more: It takes the LDAP-Server down as well since that one does a SIGINT when now new connections can be opened!

Add/Change #1066 (mod_auth leaks ldap connections)




Change Properties