Full_Name: Howard Chu Version: 2.4 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (73.15.219.210) Submitted by: hyc If a connection closes while syncprov_search_response is turning the current search op into a detached psearch op, connection_abandon() may get run on the connection while both the original and the detached copy of the op are present on the connection queue. detach_op will append the new copy onto the end of the connection's queue. connection_abandon will find the original op first, and call into syncprov_op_abandon. syncprov_op_abandon will cause the detached copy to be freed from the si->si_ops list (since both copies have same connid and msgid). If there has been no other activity on the connection, then the original op's o_next will be pointing to the detached copy. connection_abandon is using this o_next to iterate thru the connection's queue. After syncprov frees this copy, connection_abandon will probably SEGV. The fix is to prevent connection_abandon from calling abandon handlers on an op that has already been abandoned.
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24 (2.4.43)
changed notes changed state Release to Closed