[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7542) slapd segfault on modify

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7542) slapd segfault on modify
From: hyc@symas.com
Date: Mon, 18 Mar 2013 18:49:01 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

m.gr@gmx.de wrote:
> Full_Name: Matthias Grau
> Version: 2.4.34
> OS: debian 6.7.0 x64
> URL: ftp://ftp.openldap.org/incoming/matthias.grau.130318.bz2
> Submission from: (NULL) (94.217.193.246)
>
>
> slapd can cause a segfault when sorting values in modify operation.
> Under rare circumstances modify.c:802: jstack += 2; can reach a value of greater
> 63 which leads to an overwritten pointer for AttributeDescription.

Thanks for the report.

> Changing the size of istack from sizeof(int) * 16 to sizeof(int)*16 + 1 solves
> the segfault. But I don't think that's the correct solution.
> As shown here:
> http://theory.stanford.edu/~amitp/rants/c++-vs-c/test5.cc
> there should be a condition to break if jstack reaches the size of of istack.

No. In a correct implementation, jstack can never exceed the size of istack.
This was fixed in similar/identical code elsewhere, e.g. commit 
bb36bdcd1c22d1fbc6575452ef5c9112715ab083 and 
e1559100eb8e9a664cd68915e5acbf8caa334fa1 but for some reason we missed these 
other instances.

Fixed now in git master.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#7542) slapd segfault on modify
Next by Date: (ITS#7543) Statslog "conn=-1 ... ACCEPT"
Index(es):
- Chronological
- Thread