To reproduce: * configure with address_sanitizer enabled * make TESTS="ldap.sites" test ================================================================= ==6065==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0002b2738 at pc 0x7fcce80fb3b5 bp 0x7ffd61798410 sp 0x7ffd61798400 READ of size 8 at 0x60f0002b2738 thread T0 #0 0x7fcce80fb3b4 in samldb_rename_search_base_callback ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203 #1 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #2 0x7fcced601356 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418 #3 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #4 0x7fccea6d01b4 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1564 #5 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #6 0x7fcced1eab67 in extended_callback ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:657 #7 0x7fcced1eaf34 in extended_callback_ldb ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:662 #8 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #9 0x7fccf920ba3a in dsdb_next_callback ../../source4/dsdb/samdb/ldb_modules/util.c:895 #10 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #11 0x7fccea0a6d2b in partition_req_callback ../../source4/dsdb/samdb/ldb_modules/partition.c:179 #12 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #13 0x7fccebd81ddc in ldb_kv_search_and_return_base ../../lib/ldb/ldb_key_value/ldb_kv_search.c:736 #14 0x7fccebd81ddc in ldb_kv_search ../../lib/ldb/ldb_key_value/ldb_kv_search.c:813 #15 0x7fccebd7dc33 in ldb_kv_callback ../../lib/ldb/ldb_key_value/ldb_kv.c:1720 #16 0x7fcd0a5953ff in tevent_common_invoke_timer_handler ../../lib/tevent/tevent_timed.c:370 #17 0x7fcd0a595a8f in tevent_common_loop_timer_delay ../../lib/tevent/tevent_timed.c:442 #18 0x7fcd0a59a487 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:922 #19 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #20 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 #21 0x7fcd0a0dfe48 in ldb_wait ../../lib/ldb/common/ldb.c:639 #22 0x7fccf74c0db1 in ldapsrv_rename_with_controls ../../source4/ldap_server/ldap_backend.c:491 #23 0x7fccf74c0db1 in ldapsrv_ModifyDNRequest ../../source4/ldap_server/ldap_backend.c:1108 #24 0x7fccf74c0db1 in ldapsrv_do_call ../../source4/ldap_server/ldap_backend.c:1321 #25 0x7fccf74b4635 in ldapsrv_process_call_trigger ../../source4/ldap_server/ldap_server.c:955 #26 0x7fcd0a58829d in tevent_queue_immediate_trigger ../../lib/tevent/tevent_queue.c:149 #27 0x7fcd0a587857 in tevent_common_invoke_immediate_handler ../../lib/tevent/tevent_immediate.c:166 #28 0x7fcd0a587894 in tevent_common_loop_immediate ../../lib/tevent/tevent_immediate.c:203 #29 0x7fcd0a59a45e in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:918 #30 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #31 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 #32 0x7fcd0a5854da in tevent_common_loop_wait ../../lib/tevent/tevent.c:895 #33 0x7fcd0a593527 in std_event_loop_wait ../../lib/tevent/tevent_standard.c:141 #34 0x7fcd0a58558b in _tevent_loop_wait ../../lib/tevent/tevent.c:914 #35 0x7fccf9875078 in standard_accept_connection ../../source4/smbd/process_standard.c:411 #36 0x7fcd09eb4e26 in stream_accept_handler ../../source4/smbd/service_stream.c:267 #37 0x7fcd0a5867d3 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:138 #38 0x7fcd0a59ac65 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:736 #39 0x7fcd0a59ac65 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:937 #40 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #41 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 #42 0x7fcd0a5854da in tevent_common_loop_wait ../../lib/tevent/tevent.c:895 #43 0x7fcd0a593527 in std_event_loop_wait ../../lib/tevent/tevent_standard.c:141 #44 0x7fcd0a58558b in _tevent_loop_wait ../../lib/tevent/tevent.c:914 #45 0x7fccf9874170 in standard_new_task ../../source4/smbd/process_standard.c:534 #46 0x7fcd09eb7c55 in task_server_startup ../../source4/smbd/service_task.c:127 #47 0x7fcd09eb4c08 in server_service_init ../../source4/smbd/service.c:67 #48 0x7fcd09eb4c08 in server_service_startup ../../source4/smbd/service.c:104 #49 0x5643432a0ef5 in binary_smbd_main ../../source4/smbd/server.c:848 #50 0x5643432a1f7e in main ../../source4/smbd/server.c:879 #51 0x7fcd075c3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #52 0x56434329e2e9 in _start (/home/gary/projects/samba04/bin/default/source4/smbd/samba+0x82e9) 0x60f0002b2738 is located 104 bytes inside of 168-byte region [0x60f0002b26d0,0x60f0002b2778) freed by thread T0 here: #0 0x7fcd0b4f07b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) #1 0x7fcd0a351756 in _tc_free_internal ../../lib/talloc/talloc.c:1221 #2 0x7fcd0a351756 in _talloc_free_internal ../../lib/talloc/talloc.c:1247 #3 0x7fcd0a351756 in _talloc_free ../../lib/talloc/talloc.c:1789 #4 0x7fcce80fae4a in check_rename_constraints ../../source4/dsdb/samdb/ldb_modules/samldb.c:4067 #5 0x7fcce80fae4a in samldb_rename_search_base_callback ../../source4/dsdb/samdb/ldb_modules/samldb.c:4199 #6 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #7 0x7fcced601356 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418 #8 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #9 0x7fccea6d01b4 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1564 #10 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #11 0x7fcced1eab67 in extended_callback ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:657 #12 0x7fcced1eaf34 in extended_callback_ldb ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:662 #13 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #14 0x7fccf920ba3a in dsdb_next_callback ../../source4/dsdb/samdb/ldb_modules/util.c:895 #15 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #16 0x7fccea0a6d2b in partition_req_callback ../../source4/dsdb/samdb/ldb_modules/partition.c:179 #17 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 #18 0x7fccebd81ddc in ldb_kv_search_and_return_base ../../lib/ldb/ldb_key_value/ldb_kv_search.c:736 #19 0x7fccebd81ddc in ldb_kv_search ../../lib/ldb/ldb_key_value/ldb_kv_search.c:813 #20 0x7fccebd7dc33 in ldb_kv_callback ../../lib/ldb/ldb_key_value/ldb_kv.c:1720 #21 0x7fcd0a5953ff in tevent_common_invoke_timer_handler ../../lib/tevent/tevent_timed.c:370 #22 0x7fcd0a595a8f in tevent_common_loop_timer_delay ../../lib/tevent/tevent_timed.c:442 #23 0x7fcd0a59a487 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:922 #24 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #25 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 #26 0x7fcd0a0dfe48 in ldb_wait ../../lib/ldb/common/ldb.c:639 #27 0x7fccf74c0db1 in ldapsrv_rename_with_controls ../../source4/ldap_server/ldap_backend.c:491 #28 0x7fccf74c0db1 in ldapsrv_ModifyDNRequest ../../source4/ldap_server/ldap_backend.c:1108 #29 0x7fccf74c0db1 in ldapsrv_do_call ../../source4/ldap_server/ldap_backend.c:1321 #30 0x7fccf74b4635 in ldapsrv_process_call_trigger ../../source4/ldap_server/ldap_server.c:955 #31 0x7fcd0a58829d in tevent_queue_immediate_trigger ../../lib/tevent/tevent_queue.c:149 #32 0x7fcd0a587857 in tevent_common_invoke_immediate_handler ../../lib/tevent/tevent_immediate.c:166 #33 0x7fcd0a587894 in tevent_common_loop_immediate ../../lib/tevent/tevent_immediate.c:203 #34 0x7fcd0a59a45e in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:918 #35 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 previously allocated by thread T0 here: #0 0x7fcd0b4f0b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7fcd0a358448 in __talloc_with_prefix ../../lib/talloc/talloc.c:782 #2 0x7fcd0a358448 in __talloc ../../lib/talloc/talloc.c:824 #3 0x7fcd0a358448 in _talloc_named_const ../../lib/talloc/talloc.c:981 #4 0x7fcd0a358448 in _talloc_zero ../../lib/talloc/talloc.c:2422 #5 0x7fcce80fb457 in samldb_ctx_init ../../source4/dsdb/samdb/ldb_modules/samldb.c:93 #6 0x7fcce80fb599 in samldb_rename ../../source4/dsdb/samdb/ldb_modules/samldb.c:4244 #7 0x7fcd0a0e9000 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:549 #8 0x7fcceea85a33 in acl_rename ../../source4/dsdb/samdb/ldb_modules/acl.c:1892 #9 0x7fcd0a0e9000 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:549 #10 0x7fccede412f5 in descriptor_rename ../../source4/dsdb/samdb/ldb_modules/descriptor.c:976 #11 0x7fcd0a0e9000 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:549 #12 0x7fcceacf47ff in objectclass_do_rename2 ../../source4/dsdb/samdb/ldb_modules/objectclass.c:1217 #13 0x7fcceacf4aed in get_search_callback ../../source4/dsdb/samdb/ldb_modules/objectclass.c:179 #14 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 #15 0x7fcceea8b346 in acl_search_callback ../../source4/dsdb/samdb/ldb_modules/acl.c:2111 #16 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 #17 0x7fcced602379 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1426 #18 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 #19 0x7fccea6d04a8 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1571 #20 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 #21 0x7fcced1e93e1 in extended_callback ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:424 #22 0x7fcced1eaf34 in extended_callback_ldb ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:662 #23 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 #24 0x7fccf920b9f1 in dsdb_next_callback ../../source4/dsdb/samdb/ldb_modules/util.c:888 #25 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 #26 0x7fccea0a6ec2 in partition_req_callback ../../source4/dsdb/samdb/ldb_modules/partition.c:213 #27 0x7fccebd7a4be in ldb_kv_request_done ../../lib/ldb/ldb_key_value/ldb_kv.c:1634 #28 0x7fccebd7ec7b in ldb_kv_callback ../../lib/ldb/ldb_key_value/ldb_kv.c:1744 #29 0x7fcd0a5953ff in tevent_common_invoke_timer_handler ../../lib/tevent/tevent_timed.c:370 #30 0x7fcd0a595a8f in tevent_common_loop_timer_delay ../../lib/tevent/tevent_timed.c:442 #31 0x7fcd0a59a487 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:922 #32 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 SUMMARY: AddressSanitizer: heap-use-after-free ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203 in samldb_rename_search_base_callback Shadow bytes around the buggy address: 0x0c1e8004e490: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00 0x0c1e8004e4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e8004e4b0: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c1e8004e4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e8004e4d0: 04 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd =>0x0c1e8004e4e0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fa 0x0c1e8004e4f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1e8004e500: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c1e8004e510: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c1e8004e520: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c1e8004e530: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6065==ABORTING