[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4689) sladp - glibc - double free or corruption when searching translucent overlay



> ==6732== Thread 4:
> ==6732== Invalid free() / delete / delete[]
> ==6732==    at 0x401C228: free (vg_replace_malloc.c:233)
> ==6732==    by 0x8079321: do_search (search.c:233)
> ==6732==    by 0x80778C1: connection_operation (connection.c:1109)
> ==6732==    by 0x80782C2: connection_read_thread (connection.c:1237)
> ==6732==    by 0x81816C1: ldap_int_thread_pool_wrapper (tpool.c:704)
> ==6732==    by 0x42022AA: start_thread (in /lib/libpthread-2.3.6.so)
> ==6732==    by 0x44CDE2D: clone (in /lib/libc-2.3.6.so)
> ==6732==  Address 0x59566A8 is 0 bytes inside a block of size 220 free'd
> ==6732==    at 0x401C228: free (vg_replace_malloc.c:233)
> ==6732==    by 0x80912A5: ch_free (ch_malloc.c:139)
> ==6732==    by 0x81628E1: rwm_response (rwm.c:1394)
> ==6732==    by 0x80D24C9: over_back_response (backover.c:237)
> ==6732==    by 0x8085C3F: slap_response_play (result.c:317)
> ==6732==    by 0x8085D82: send_ldap_response (result.c:391)
> ==6732==    by 0x80867E7: slap_send_ldap_result (result.c:638)
> ==6732==    by 0x80F67D0: ldap_back_search (search.c:482)
> ==6732==    by 0x816CED8: translucent_search (translucent.c:613)
> ==6732==    by 0x80D29FE: overlay_op_walk (backover.c:492)
> ==6732==    by 0x80D2B5E: over_op_func (backover.c:552)
> ==6732==    by 0x807A029: fe_op_search (search.c:374)

OK, that's rwm not translucent.  What I suspect is that slapo-rwm(5)
occasionally does something nasty with memory: it deletes what's passed by
the caller and replaces it with its own massaged data.  Apparently,
translucent is passing it a temporary Operation structure, and rwm
modifies some of its content, but the caller, do_search() in this case,
sees a dangling pointer because rwm freed and replaced it with a newly
allocated one that's now leaked.

slapo-rwm(5) in general needs some redesign; in fact, it was designed to
act like that because at that time there was no sc_cleanup handler in
slap_callback.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------