slap_graduate_commit_csn() crashes slapd (ITS#2744)

[lukeh@padl.com]

Full_Name: Luke Howard
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (165.228.130.12)


slap_graduate_commit_csn() is called regardless of whether the operation
succeeds or not, at least in delete.c, by virtue of its placement.

I don't know enough about what this function does to know whether this is
correct behaviour, but it at least needs to check for the validity of its
argument and, potentially, should only be called after checking the operation
result code.

For example, it's fairly easy to crash slapd by sending a delete request with an
invalid DN syntax. Once dnPrettyNormal() fails (delete.c:81 in CVS revision
1.100), slap_graduate_commit_csn() will be called with an operation with no
backend set.

I haven't looked at the code enough to know whether this issue is specific to
delete.c, or whether the problem is manifest for other operations.

(gdb) bt
#0  0x40247e90 in pthread_mutex_lock () from /lib/libpthread.so.0
#1  0x080e1491 in ldap_pvt_thread_mutex_lock (mutex=0xb8) at thr_posix.c:288
#2  0x0809ba74 in slap_graduate_commit_csn (op=0x829f8d0) at ctxcsn.c:97
#3  0x08078062 in do_delete (op=0x829f8d0, rs=0xbefff8e4) at delete.c:260
#4  0x08066f42 in connection_operation (ctx=0xbefff964, arg_v=0x829f8d0) at
connection.c:977
#5  0x080e0d70 in ldap_int_thread_pool_wrapper (xpool=0x816d420) at tpool.c:463
#6  0x402470ba in pthread_start_thread () from /lib/libpthread.so.0
#7  0x40247101 in pthread_start_thread_event () from /lib/libpthread.so.0
(gdb) p op
$5 = (Operation *) 0x829f8d0
(gdb) p op->o_bd
$6 = (BackendDB *) 0x0
(gdb) down
#1  0x080e1491 in ldap_pvt_thread_mutex_lock (mutex=0xb8) at thr_posix.c:288
288             return pthread_mutex_lock( mutex );
(gdb) p mutex
$7 = (ldap_pvt_thread_mutex_t *) 0xb8
(gdb) up
#2  0x0809ba74 in slap_graduate_commit_csn (op=0x829f8d0) at ctxcsn.c:97
97              ldap_pvt_thread_mutex_lock( &op->o_bd->be_pcl_mutex );
(gdb)