Viewing Software Bugs/7302
Full headers

Major security issue: yes  no

Notes:
fixed in master fixed in RE24
Notification:

Date: Tue, 12 Jun 2012 21:55:36 +0000
From: quanah@openldap.org
To: openldap-its@OpenLDAP.org
Subject: mdb segfault when renaming entry

Full_Name: Quanah Gibson-Mount
Version: 2.4.31
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.108.184.39)


Got the following segfault in mdb when renaming entry X to the same name as a
previously deleted entry Y.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f076d5c6700 (LWP 15510)]
0x00007f1b6ea5190b in mdb_cursor_del (mc=0x2e09a08, flags=0) at
./../../../libraries/libmdb/mdb.c:4516
4516    ./../../../libraries/libmdb/mdb.c: No such file or directory.
        in ./../../../libraries/libmdb/mdb.c
(gdb) thr apply all bt full


Thread 5 (Thread 0x7f076ddc7700 (LWP 15509)):
#0  0x00007f1b7261c2d3 in epoll_wait () from /lib/libc.so.6
No symbol table info available.
#1  0x00000000004395d9 in slapd_daemon_task (ptr=0x2715d00) at daemon.c:2540
        ns = 1
        at = 0
        nfds = 8
        revents = 0x287e000
        tvp = 0x7f076ddc4da0
        cat = {tv_sec = 1339538180, tv_usec = 0}
        i = 1
        nwriters = 0
        now = 1339537971
        tv = {tv_sec = 209, tv_usec = 0}
        tdelta = 1
        rtask = 0x2d81950
        l = 3
        last_idle_check = 1339537880
        ebadf = 0
        tid = 0
#2  0x00007f1b728be9ca in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#3  0x00007f1b7261bcdd in clone () from /lib/libc.so.6
No symbol table info available.
#4  0x0000000000000000 in ?? ()
No symbol table info available.

Thread 4 (Thread 0x7f076d5c6700 (LWP 15510)):
#0  0x00007f1b6ea5190b in mdb_cursor_del (mc=0x2e09a08, flags=0) at
./../../../libraries/libmdb/mdb.c:4516
        leaf = 0x130000004c
        rc = 0
#1  0x00007f1b6ea519b4 in mdb_cursor_del (mc=0x2e09880, flags=0) at
./../../../libraries/libmdb/mdb.c:4523
        leaf = 0x50baacc
        rc = 0
#2  0x00007f1b6ea42088 in mdb_dn2id_delete (op=0x2c0fc00, mc=0x2e09880, id=75)
at dn2id.c:235
        key = {mv_size = 8, mv_data = 0x7f076d5c5468}
        rc = 0
#3  0x00007f1b6ea31abc in mdb_delete (op=0x2c0fc00, rs=0x7f076d5c5a10) at
delete.c:336
        mdb = 0x2e56000
        pdn = {bv_len = 16, bv_val = 0x48e82c2 "dc=zimbra,dc=com"}
        e = 0x48e8e90
        p = 0x48e83f0
        manageDSAit = 0
        children = 0x2722ec0
        entry = 0x2722f00
        txn = 0x458c000
        mc = 0x2e09880
        opinfo = {moi_oe = {oe_next = {sle_next = 0x0}, oe_key = 0x2e56000},
moi_txn = 0x458c000, moi_ref = 1, moi_flag = 0 '\000'}
        moi = 0x7f076d5c5530
        preread_ctrl = 0x0
        ctrls = {0x0, 0x151f55373c8e5d00, 0x0, 0x48e8308, 0x7f076d5c5570,
0x27fb280}
        num_ctrls = 0
        parent_is_glue = 0
        parent_is_leaf = 0
        __PRETTY_FUNCTION__ = "mdb_delete"
#4  0x00000000004d4b08 in overlay_op_walk (op=0x2c0fc00, rs=0x7f076d5c5a10,
which=op_delete, oi=0x2c62d20, on=0x0) at backover.c:671
        func = 0x7f1b6ec60cf8
        rc = 32768
#5  0x00000000004d4d46 in over_op_func (op=0x2c0fc00, rs=0x7f076d5c5a10,
which=op_delete) at backover.c:723
        oi = 0x2c62d20
        on = 0x2c62780
        be = 0x27589c0
        db = {bd_info = 0x7f1b6ec60ca0, bd_self = 0x27589c0, be_ctrls =
"\000\001\001\001\000\001\000\000\001\000\000\001\001\000\001\000\000\001",
'\000' <repeats 14 times>, "\001",
          be_flags = 2312, be_restrictops = 0, be_requires = 0, be_ssf_set =
{sss_ssf = 0, sss_transport = 0, sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0,
sss_update_transport = 0,
            sss_update_tls = 0, sss_update_sasl = 0, sss_simple_bind = 0},
be_suffix = 0x2be7900, be_nsuffix = 0x2be78c0, be_schemadn = {bv_len = 0, bv_val
= 0x0}, be_schemandn = {
            bv_len = 0, bv_val = 0x0}, be_rootdn = {bv_len = 9, bv_val =
0x2d5eda0 "cn=config"}, be_rootndn = {bv_len = 9, bv_val = 0x2d5ed80
"cn=config"}, be_rootpw = {bv_len = 0,
            bv_val = 0x0}, be_max_deref_depth = 15, be_def_limit = {lms_t_soft =
-1, lms_t_hard = 0, lms_s_soft = -1, lms_s_hard = 0, lms_s_unchecked = -1,
lms_s_pr = 0,
            lms_s_pr_hide = 0, lms_s_pr_total = 0}, be_limits = 0x0, be_acl =
0x2c6f6c0, be_dfltaccess = ACL_READ, be_extra_anlist = 0x0, be_update_ndn =
{bv_len = 0, bv_val = 0x0},
          be_update_refs = 0x0, be_pending_csn_list = 0x456f610, be_pcl_mutex =
{__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0,
__spins = 0, __list = {
                __prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39
times>, __align = 0}, be_syncinfo = 0x0, be_pb = 0x0, be_cf_ocs =
0x7f1b6ec60aa0, be_private = 0x2e56000,
          be_next = {stqe_next = 0x0}}
        cb = {sc_next = 0x48e82e0, sc_response = 0x4d3840
<over_back_response>,
sc_cleanup = 0, sc_private = 0x2c62d20}
        sc = 0x0
        rc = 32768
        __PRETTY_FUNCTION__ = "over_op_func"
#6  0x00000000004d4f2f in over_op_delete (op=0x2c0fc00, rs=0x7f076d5c5a10) at
backover.c:780
No locals.
#7  0x000000000046149c in fe_op_delete (op=0x2c0fc00, rs=0