[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3842) crash - NULL dereference in slapd_remove()

To: openldap-its@OpenLDAP.org
Subject: (ITS#3842) crash - NULL dereference in slapd_remove()
From: jtownsend@opendarwin.org
Date: Wed, 6 Jul 2005 20:24:16 GMT

Full_Name: Jason Townsend
Version: 2.2.19 and HEAD
OS: Mac OS X 10.4.1
URL: http://www.opendarwin.org/~jtownsend/patches/shutdowncrash/servers-slapd-daemon.patch
Submission from: (NULL) (17.221.43.142)


During shutdown, the slap_listeners array is freed before the connections are
shut down, which can cause a crash. The fix would be to free the slap_listeners
array after the connections are shut down. I've prepared a patch against the
current HEAD. The patch was initially developed against 2.2.19 but it should
apply to the current 2.2.x and 2.3.x releases as well.

http://www.opendarwin.org/~jtownsend/patches/shutdowncrash/servers-slapd-daemon.patch

An example crash is below (this was from a 2.1.22 based build so the line
numbers may not match up quite right).

Exception:  EXC_BAD_ACCESS (0x00000001 (in slapd))
Codes:      KERN_PROTECTION_FAILURE (0x00000002 (in slapd)) at 0x00000000

Thread 0:
0   libSystem.B.dylib   0x90014528 semaphore_wait_trap + 0x00000008 (in slapd)
1   libSystem.B.dylib   0x9003911c pthread_join + 0x000000fc (in slapd)
2   slapd               _slapd_daemon (in slapd) (daemon.c:1961) 0x00001000 (in
slapd) + _slapd_daemon_task (in slapd) (daemon.c:1379)
3   slapd               _main (in slapd) (main.c:578) 0x00001000 (in slapd) +
0x000026c4 (in slapd)
4   slapd               __start (in slapd) (crt.c:267) 0x00001000 (in slapd) +
0x000019c4 (in slapd)
5   slapd               start (in slapd) 0x00001000 (in slapd) + 0x00001838 (in
slapd)

Thread 1 Crashed:
0   slapd               _slapd_remove (in slapd) (daemon.c:257) 0x00001000 (in
slapd) + _usage (in slapd) (main.c:98)
1   slapd               _connection_destroy (in slapd) (connection.c:667)
0x00001000 (in slapd) + _connections_destroy (in slapd) (connection.c:116)
2   slapd               _connection_close (in slapd) (connection.c:786)
0x00001000 (in slapd) + _connection_get (in slapd) (connection.c:297)
3   slapd               _connections_shutdown (in slapd) (connection.c:168)
0x00001000 (in slapd) + _slapd_daemon_task (in slapd) (daemon.c:1549)
4   slapd               _slapd_daemon_task (in slapd) (daemon.c:1918) 0x00001000
(in slapd) + _slapd_daemon_task (in slapd) (daemon.c:1345)
5   libSystem.B.dylib   0x900246e8 _pthread_body + 0x00000028 (in slapd)

Prev by Date: Re: (ITS#3835) Lightweight Listener Thread
Next by Date: Re: (ITS#3835) Lightweight Listener Thread
Index(es):
- Chronological
- Thread