[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7245) crash when using CSN in cookie



jsoula@univ-lille2.fr wrote:
> Full_Name: julien soula
> Version: 2.4.30
> OS: gentoo/linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (194.254.117.85)
>
>
> hello,
>
> on a replica, when I use cookie parameter with csn value as :
>     -c 'rid=101,csn=20120320035618.177820Z#000000#000#000000'
> the server crash immediately du to bad free :

Thanks for the report, fixed in git master.
>
> #0  0x00007ffff6ac3a55 in raise () from /lib64/libc.so.6
> #1  0x00007ffff6ac4d55 in abort () from /lib64/libc.so.6
> #2  0x00007ffff6afe972 in ?? () from /lib64/libc.so.6
> #3  0x00007ffff6b03df5 in ?? () from /lib64/libc.so.6
> #4  0x00007ffff6b08d2c in free () from /lib64/libc.so.6
> #5  0x00000000005b78d6 in ber_memfree_x (p=0xd45628, ctx=0x0) at memory.c:152
> #6  0x00000000005b85e4 in ber_bvarray_free_x (a=0xd45660, ctx=0x0) at
> memory.c:731
> #7  0x00000000005b8620 in ber_bvarray_free (a=0xd45660) at memory.c:741
> #8  0x00000000004be085 in slap_sync_cookie_free (cookie=0x8f3140,
> free_cookie=1)
>      at ldapsync.c:106
> #9  0x00000000004a3ab1 in do_syncrep1 (op=0x7fffad9f8470, si=0xa0f4d0)
>      at syncrepl.c:675
> #10 0x00000000004a6e70 in do_syncrepl (ctx=0x7fffad9f8b60, arg=0xa0c4d0)
>      at syncrepl.c:1512
> #11 0x0000000000581c1f in ldap_int_thread_pool_wrapper (xpool=0x924d20)
>      at tpool.c:688
> #12 0x00007ffff7645c5c in start_thread () from /lib64/libpthread.so.0
> #13 0x00007ffff6b67fcd in clone () from /lib64/libc.so.6
>
> After some analyzes, I noticed that the allocation of this block was done with a
> not null memory context :
>
> #0  ber_memalloc_x (s=41, ctx=0xd3ebd0) at memory.c:231
> #1  0x00000000005b7f46 in ber_dupbv_x (dst=0x7fffad9f8350, src=0x7fffad9f8360,
>      ctx=0xd3ebd0) at memory.c:506
> #2  0x0000000000480ff9 in csnNormalize (usage=2, syntax=0x912160, mr=0x918670,
>      val=0x7fffad9f8360, normalized=0x7fffad9f8350, ctx=0xd3ebd0)
>      at schema_init.c:5395
> #3  0x00000000004be94d in slap_parse_sync_cookie (cookie=0x8f3140,
> memctx=0xd3ebd0)
>      at ldapsync.c:342
> #4  0x00000000004a3a6f in do_syncrep1 (op=0x7fffad9f8470, si=0xa0f4d0)
>      at syncrepl.c:671
> #5  0x00000000004a6e70 in do_syncrepl (ctx=0x7fffad9f8b60, arg=0xa0c4d0)
>      at syncrepl.c:1512
> #6  0x0000000000581c1f in ldap_int_thread_pool_wrapper (xpool=0x924d20)
>      at tpool.c:688
> #7  0x00007ffff7645c5c in start_thread () from /lib64/libpthread.so.0
> #8  0x00007ffff6b67fcd in clone () from /lib64/libc.so.6
>
> but was freed with a null context as seen above.
>
> If I modify the code to force a null context allocation, it works.
>
> PS: I shortly took a look at Git code and it seems to be the same.
>
> Best regards,


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/