(ITS#3800) libldap abandon issue

[ando@sys-net.it]

Full_Name: Pierangelo Masarati
Version: HEAD
OS: Linux Whitebox 3
URL: ftp://ftp.openldap.org/incoming/masarati-2005-06-28-libldap-abandon.patch
Submission from: (NULL) (81.72.89.40)
Submitted by: ando


I've been hitting unesplicable core dumps when heavily loading back-ldap with
abandoning; I tracked down the issue in do_abandon calling ldap_free_request()
on a dangling LDAPRequest pointer.  I'm not 100% sure about the fix, because I
didn't understand yet how it could happen, but the problem is cured by the
attached patch.  It appears that when do_abandon() temporarily releases the
request mutex to delete the response message and re-acquires it, the LDAPRequest
the previously acquired "lr" pointer gets freed by someone else.  The fix is
trivial: re-fetch the request before continuing the abandon, right after
re-acquiring the mutex.  The problem cannot be easily reproduced, but I was able
to repeatedly produce it after some heavy and concurrent load.  I'm keen to
committing this fix: at least it's not making any harm, but there might be
better solutions.

p.

<patch>
Index: libraries/libldap/abandon.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/abandon.c,v
retrieving revision 1.37
diff -u -r1.37 abandon.c
--- libraries/libldap/abandon.c	1 Jan 2005 19:49:43 -0000	1.37
+++ libraries/libldap/abandon.c	26 Jun 2005 19:39:47 -0000
@@ -161,6 +161,15 @@
 		return LDAP_SUCCESS;
 	}
 
+	/* fetch again the request that we are abandoning */
+	if ( lr != NULL ) {
+		for ( lr = ld->ld_requests; lr != NULL; lr = lr->lr_next ) {
+			if ( lr->lr_msgid == msgid ) {	/* this message */
+				break;
+			}
+		}
+	}
+
 	err = 0;
 	if ( sendabandon ) {
 		if( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, NULL ) == -1 ) {
</patch>