[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4925) Modify operation with NOOP control on a BDB backend causes slapd to crash



Full_Name: Jonathan Clarke
Version: 2.3.35
OS: Linux (ubuntu)
URL: 
Submission from: (NULL) (213.41.243.192)


When trying a modify operation (such as changing or adding a value of an
attribute) with the NOOP control (set to critical) on an entry stored in a BDB
backend, slapd crashes, with the following error:

*** glibc detected *** ./servers/slapd/slapd: munmap_chunk(): invalid pointer:
0x0821e235 ***
======= Backtrace: =========
[...]
======= Memory map: ========
[...]
Abandon (core dumped)

This only happens for operations that should succeed (ie, should return the NOOP
error code LDAP_X_NO_OPERATION). Operations which fail for other reasons
(refused by ACLs, schema error, etc) do not make slapd crash.

I have tested this on versions 2.3.32, 2.3.34, 2.3.35 and HEAD (as of today).
The crash only happens with the BDB backend (I tested slapd with a ldap backend
which only made the remote slapd with a BDB backend crash, not the one with the
ldap backend).

After some investigation, I found that this crash results from a call to
attrs_free() in servers/slapd/back-bdb/modify.c, after the "return_results"
label. This seems to be a double free() problem.

The following patch solved the problem for me on versions 2.3.32, 2.3.34, 2.3.35
and HEAD (as of today). With this patch, NOOP behaves as expected. The patch
simply adds 2 lines copied from the error handling "if" higher up in the same
function (bdb_modify).

---------------------BEGIN PATCH---------------------
--- modify.c.~1.124.2.16.~      2007-01-02 22:44:00.000000000 +0100
+++ modify.c    2007-04-11 14:44:56.000000000 +0200
@@ -538,6 +538,8 @@
                } else {
                        rs->sr_err = LDAP_X_NO_OPERATION;
                        ltid = NULL;
+                       /* Only free attrs if they were dup'd.  */
+                       if ( dummy.e_attrs == e->e_attrs ) dummy.e_attrs =
NULL;
                        goto return_results;
                }
        } else {
----------------------END PATCH----------------------
(sorry not to put this patch on an FTP site, but ftp.openldap.org complains with
452 Error writing file: No space left on device.)

I, Jonathan Clarke, hereby place the preceding modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.