[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6341) slapd crashing when deleting and re-adding the last object
- To: openldap-its@openldap.org
- Subject: (ITS#6341) slapd crashing when deleting and re-adding the last object
- From: ralf@OpenLDAP.org
- Date: Tue, 20 Oct 2009 10:28:20 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Ralf Haferkamp
Version: HEAD, RE24
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (92.252.30.227)
Submitted by: ralf
slapd in current HEAD and RE24 crashes when the last object from the database is
deleted and re-added. Valgrind gives me this (during the ldapadd operation):
==11646== Invalid read of size 8
==11646== at 0x52E4F2: bdb_cache_lru_link (cache.c:137)
==11646== by 0x530762: hdb_cache_add (cache.c:1191)
==11646== by 0x52C8D9: hdb_add (add.c:484)
==11646== by 0x44A43D: fe_op_add (add.c:334)
==11646== by 0x449DB0: do_add (add.c:194)
==11646== by 0x4410E6: connection_operation (connection.c:1123)
==11646== by 0x441672: connection_read_thread (connection.c:1259)
==11646== by 0x4E3C51C: ldap_int_thread_pool_wrapper (tpool.c:685)
==11646== by 0x6EB206F: start_thread (in /lib64/libpthread-2.9.so)
==11646== by 0x719A10C: clone (in /lib64/libc-2.9.so)
==11646== Address 0x9b25740 is 128 bytes inside a block of size 144 free'd
==11646== at 0x4C243AF: free (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==11646== by 0x5091C09: ber_memfree_x (memory.c:152)
==11646== by 0x465624: ch_free (ch_malloc.c:139)
==11646== by 0x52E493: bdb_cache_entryinfo_free (cache.c:104)
==11646== by 0x530E5A: hdb_cache_delete_cleanup (cache.c:1419)
==11646== by 0x5369A9: hdb_delete (delete.c:575)
==11646== by 0x462FDD: fe_op_delete (delete.c:174)
==11646== by 0x462C6C: do_delete (delete.c:95)
==11646== by 0x4410E6: connection_operation (connection.c:1123)
==11646== by 0x4E3C51C: ldap_int_thread_pool_wrapper (tpool.c:685)
==11646== by 0x6EB206F: start_thread (in /lib64/libpthread-2.9.so)
==11646== by 0x719A10C: clone (in /lib64/libc-2.9.so)
Further investigation with gdb showed that bdb->bi_cache.c_lrutail points to
free'd memory after the last object is removed from the database, which results
in the crash when trying to access that memory during the add operation.
I am currently working on a fix. Will submit it to HEAD later today.