slapd crash when using SQL backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap |
New
|
Undecided
|
Unassigned | ||
openldap (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
I've not narrowed down the minimum scenario that causes it. But the bug is quite obvious from reading the code. There's a free() that should definitely not be called as it is made on an address that is not the result of an allocation.
Please find diff attached (it may not be *the* best/correct solution as I've not deeply analysed why the code was written that way but it seems to fix it for me).
hardy is also affected.
Below is valgrind and gdb information.
The crash occurs when a client connects and does a search. I suppose just setting up openldap with a SQL backend would be enough.
Valgrind:
==>backsql_
==>backsql_
==>backsql_
do_bind: v3 anonymous bind
<==backsql_
<==backsql_
==>backsql_
==>backsql_
==32193==
==32193== Thread 4:
==32193== Invalid free() / delete / delete[]
==32193== at 0x4824B4A: free (vg_replace_
==32193== by 0x489AE28: ber_memfree_x (memory.c:152)
==32193== by 0x6058F: ch_free (ch_malloc.c:139)
==32193== by 0x53F86BF: backsql_id2entry (entry-id.c:945)
==32193== by 0x53ED183: backsql_init_search (search.c:315)
==32193== by 0x53F1B04: backsql_search (search.c:2034)
==32193== by 0x3F8C8: fe_op_search (search.c:366)
==32193== by 0x3F21B: do_search (search.c:217)
==32193== by 0x3B8F9: connection_
==32193== by 0x3BE54: connection_
==32193== by 0x485219A: ldap_int_
==32193== by 0x49E750E: start_thread (in /lib/tls/
==32193== Address 0x4e31c24 is 444 bytes inside a block of size 40,004 alloc'd
==32193== at 0x4823DE2: calloc (vg_replace_
==32193== by 0x489B034: ber_memcalloc_x (memory.c:277)
==32193== by 0x6039A: ch_calloc (ch_malloc.c:104)
==32193== by 0x4A15E: entry_prealloc (entry.c:548)
==32193== by 0x4A22D: entry_alloc (entry.c:575)
==32193== by 0x53EBCDD: read_baseObject (config.c:677)
==32193== by 0x53EAC96: backsql_db_config (config.c:448)
==32193== by 0x2F1BB: read_config_file (config.c:786)
==32193== by 0x23A21: read_config (bconfig.c:3463)
==32193== by 0x18DF7: main (main.c:754)
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb6dddb90 (LWP 426)]
0xb7ee0430 in __kernel_vsyscall ()
(gdb) bt full
#0 0xb7ee0430 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb79f38a0 in raise () from /lib/tls/
No symbol table info available.
#2 0xb79f5268 in abort () from /lib/tls/
No symbol table info available.
#3 0xb7a3116d in ?? () from /lib/tls/
No symbol table info available.
#4 0xb7a37454 in ?? () from /lib/tls/
No symbol table info available.
#5 0xb7a394b6 in free () from /lib/tls/
No symbol table info available.
#6 0xb7e54e29 in ber_memfree_x (p=0xb830b13c, ctx=0x0) at /home/stephane/
#7 0xb7f43590 in ch_free (ptr=0xb830b13c) at /home/stephane/
ctx = (void *) 0x0
#8 0xb76ef6c0 in backsql_id2entry (bsi=0xb6ddbdb8, eid=0xb6ddbdcc) at /home/stephane/
e = (Entry *) 0xb830b13c
op = (Operation *) 0xb836ac40
bi = (backsql_info *) 0xb82f5358
i = 1203274741
rc = -1209131020
#9 0xb76e4184 in backsql_init_search (bsi=0xb6ddbdb8, nbase=0xb836ac5c, scope=2, stoptime=
at /home/stephane/
matched = 1
getentry = 1
gotit = 1
bi = (backsql_info *) 0xb82f5358
rc = 0
#10 0xb76e8b05 in backsql_search (op=0xb836ac40, rs=0xb6ddd12c) at /home/stephane/
bi = (backsql_info *) 0xb82f5358
dbh = (SQLHDBC) 0xb8385b90
sres = 0
user_entry = {e_id = 0, e_name = {bv_len = 0, bv_val = 0x0}, e_nname = {bv_len = 0, bv_val = 0x0}, e_attrs = 0x0, e_ocflags = 0, e_bv = {bv_len = 0, bv_val = 0x0}, e_private = 0x0}
base_entry = {e_id = 0, e_name = {bv_len = 17, bv_val = 0xb8359908 "****MASKED****"}, e_nname = {bv_len = 17, bv_val = 0xb8359340 "****MASKED****"}, e_attrs = 0xb83169cc,
e_ocflags = 0, e_bv = {bv_len = 0, bv_val = 0x0}, e_private = 0x0}
manageDSAit = 0
stoptime = 1240841287
bsi = {bsi_op = 0xb836ac40, bsi_rs = 0xb6ddd12c, bsi_flags = 1, bsi_base_ndn = 0xb836ac5c, bsi_use_
eid_oc = 0x0, eid_dn = {bv_len = 17, bv_val = 0xb68dc16c "****MASKED****"}, eid_ndn = {bv_len = 17, bv_val = 0xb68dc154 "****MASKED****"}, eid_next = 0x0}, bsi_scope = 2,
bsi_filter = 0xb68dc12c, bsi_stoptime = 1240841287, bsi_id_list = 0x0, bsi_id_listtail = 0xb6ddbdfc, bsi_c_eid = 0x0, bsi_n_candidates = 0, bsi_status = 0, bsi_oc = 0x0, bsi_sel = {
bb_val = {bv_len = 0, bv_val = 0x0}, bb_len = 0}, bsi_from = {bb_val = {bv_len = 0, bv_val = 0x0}, bb_len = 0}, bsi_join_where = {bb_val = {bv_len = 0, bv_val = 0x0}, bb_len = 0},
bsi_flt_where = {bb_val = {bv_len = 0, bv_val = 0x0}, bb_len = 0}, bsi_filter_oc = 0x0, bsi_dbh = 0xb8385b90, bsi_attrs = 0x0, bsi_e = 0xb6ddbeb8}
eid = (backsql_entryID *) 0x0
nbase = {bv_len = 0, bv_val = 0x0}
lastid = 0
#11 0xb7f228c9 in fe_op_search (op=0xb836ac40, rs=0xb6ddd12c) at /home/stephane/
bd = (BackendDB *) 0xb8036a20
#12 0xb7f2221c in do_search (op=0xb836ac40, rs=0xb6ddd12c) at /home/stephane/
base = {bv_len = 17, bv_val = 0xb836d14f "****MASKED****"}
siz = 0
off = 0
i = 0
#13 0xb7f1e8fa in connection_
rc = 80
---Type <return> to continue, or q <return> to quit---
op = (Operation *) 0xb836ac40
rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0, sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = {sru_sasl = {r_sasldata = 0x0},
sru_extended = {r_rspoid = 0x0, r_rspdata = 0x0}, sru_search = {r_entry = 0x0, r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}}, sr_flags = 0}
tag = 99
opidx = SLAP_OP_SEARCH
conn = (Connection *) 0xb767f0e8
memctx = (void *) 0xb836d120
memctx_null = (void *) 0x0
memsiz = 1048576
#14 0xb7f1ee55 in connection_
rc = 0
cri = {op = 0xb836ac40, func = 0, arg = 0x0, ctx = 0xb6ddd21c, nullop = 0}
s = 12
#15 0xb7e6919b in ldap_int_
pool = (struct ldap_int_
task = (ldap_int_
work_list = (ldap_int_
ctx = {ltu_id = 3067992976, ltu_key = {{ltk_key = 0xb7f1e444, ltk_data = 0xb836d030, ltk_free = 0xb7f1e217 <conn_counter_
ltk_free = 0xb7f8b480 <slap_sl_
ltk_free = 0xb76f4b23 <backsql_
kctx = (ldap_int_
i = 32
keyslot = 734
hash = 5416670
#16 0xb7cf950f in start_thread () from /lib/tls/
No symbol table info available.
#17 0xb7aa9a0e in clone () from /lib/tls/
No symbol table info available.
ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 8.10
NonfreeKernelMo
Package: slapd 2.4.11-0ubuntu6
ProcEnviron:
SHELL=/bin/zsh
PATH=/
LANG=en_GB.UTF-8
SourcePackage: openldap
Uname: Linux 2.6.27-14-generic i686
I'm not seeing the patch, so I attach it again. Sorry if that causes a duplicate.