OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/5541
Full headers

From: pwadas@jewish.org.pl
Subject: slapd segfaults with specific search on string bdb and hdb backend
Compose comment
Download message
State:
0 replies:
5 followups: 1 2 3 4 5

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 30 May 2008 10:24:21 GMT
From: pwadas@jewish.org.pl
To: openldap-its@OpenLDAP.org
Subject: slapd segfaults with specific search on string bdb and hdb backend
Full_Name: Piotr Wadas
Version: 2.4.7 upto 2.4.9
OS: debian 2.6.18+ kernel
URL: 
Submission from: (NULL) (195.95.182.4)


The issue is discussed at
http://www.openldap.org/lists/openldap-software/200805/msg00136.html

List message contains debug information, steps to reproduce,
backtrace logs etc.
Issue appears since 2.4.7 in 2.4 series.


gdb bt quick ref:

#0  0xb7b4842c in free () from /usr/lib/i486-linux-gnu/i686/cmov/libc.so.6
#1  0xb7e901aa in ber_memfree_x (p=0x0, ctx=0x0) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/liblber/memory.c:152
#2  0xb7e9019c in ber_memfree_x (p=0x0, ctx=0x0) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/liblber/memory.c:159
#3  0xb7e90235 in ber_bvarray_free_x (a=0xa96e3354, ctx=0x8279658) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/liblber/memory.c:731
#4  0xb73028e5 in bdb_filter_candidates (op=0x82792e0, locker=34, f=0xa96e325c,
ids=0xa9062008, tmp=0xa8ee2008, stack=0xa90e2008)
    at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:803
#5  0xb7303064 in list_candidates (op=0x82792e0, locker=34, flist=0xa96e31ec,
ftype=160, ids=0xa8fe2008, tmp=0xa8ee2008, save=0xa9062008)
    at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:581
#6  0xb73017c7 in bdb_filter_candidates (op=0x82792e0, locker=34, f=0xa96e32bc,
ids=0xa8fe2008, tmp=0xa8ee2008, stack=0xa9062008)
    at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:198
#7  0xb7303064 in list_candidates (op=0x82792e0, locker=34, flist=0xa9be2ec8,
ftype=161, ids=0xa8f62008, tmp=0xa8ee2008, save=0xa8fe2008)
    at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:581
#8  0xb73015ca in bdb_filter_candidates (op=0x82792e0, locker=34, f=0xa9be2ebc,
ids=0xa8f62008, tmp=0xa8ee2008, stack=0xa8fe2008)
    at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:204
#9  0xb7303064 in list_candidates (op=0x82792e0, locker=34, flist=0xa9be2eb0,
ftype=160, ids=0xa9b22e1c, tmp=0xa8ee2008, save=0xa8f62008)
    at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:581
#10 0xb73017c7 in bdb_filter_candidates (op=0x82792e0, locker=34, f=0xa9be2ed4,
ids=0xa9b22e1c, tmp=0xa8ee2008, stack=0xa8f62008)
    at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:198
#11 0xb72fc858 in bdb_search (op=0x82792e0, rs=0xa9be4168) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/search.c:1109
#12 0x080d76f1 in overlay_op_walk (op=0x82792e0, rs=0xa9be4168, which=op_search,
oi=0x81f63d8, on=0x81f64d8) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/backover.c:646
#13 0x080d7c5d in over_op_func (op=0x82792e0, rs=0xa9be4168, which=op_search) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/backover.c:698
#14 0x08077fd3 in fe_op_search (op=0x82792e0, rs=0xa9be4168) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/search.c:366
#15 0x080787fc in do_search (op=0x82792e0, rs=0xa9be4168) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/search.c:217
#16 0x08075a9f in connection_operation (ctx=0xa9be4248, arg_v=0x82792e0) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/connection.c:1084
#17 0x08076196 in connection_read_thread (ctx=0xa9be4248, argv=0x10) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/connection.c:1211
#18 0xb7ea1d64 in ldap_int_thread_pool_wrapper (xpool=0x81b09b8) at
/home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/libldap_r/tpool.c:663
#19 0xb7c2c4fb in start_thread () from
/usr/lib/i486-linux-gnu/i686/cmov/libpthread.so.0
#20 0xb7bafe8e in clone () from /usr/lib/i486-linux-gnu/i686/cmov/libc.so.6




Followup 1

Download message
Date: Fri, 30 May 2008 09:10:27 -0700
From: Howard Chu <hyc@symas.com>
To: pwadas@jewish.org.pl
CC: openldap-its@openldap.org
Subject: Re: (ITS#5541) slapd segfaults with specific search on string bdb
 and hdb	backend
pwadas@jewish.org.pl wrote:
> Full_Name: Piotr Wadas
> Version: 2.4.7 upto 2.4.9
> OS: debian 2.6.18+ kernel
> URL:
> Submission from: (NULL) (195.95.182.4)
>
>
> The issue is discussed at
> http://www.openldap.org/lists/openldap-software/200805/msg00136.html
>
> List message contains debug information, steps to reproduce,
> backtrace logs etc.
> Issue appears since 2.4.7 in 2.4 series.

The config info you posted is missing your index configuration, which is most 
relevant here.

 From your traces, we could use a little more info as well:
frame 4
print *ava->aa_desc
print *mr
>
> gdb bt quick ref:
>
> #0  0xb7b4842c in free () from /usr/lib/i486-linux-gnu/i686/cmov/libc.so.6
> #1  0xb7e901aa in ber_memfree_x (p=0x0, ctx=0x0) at
> /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/liblber/memory.c:152
> #2  0xb7e9019c in ber_memfree_x (p=0x0, ctx=0x0) at
> /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/liblber/memory.c:159
> #3  0xb7e90235 in ber_bvarray_free_x (a=0xa96e3354, ctx=0x8279658) at
> /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/liblber/memory.c:731
> #4  0xb73028e5 in bdb_filter_candidates (op=0x82792e0, locker=34,
f=0xa96e325c,
> ids=0xa9062008, tmp=0xa8ee2008, stack=0xa90e2008)
>      at /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/servers/slapd/back-bdb/filterindex.c:803


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Mon, 2 Jun 2008 21:29:18 +0200 (CEST)
From: Piotr Wadas <pwadas@jewish.org.pl>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5541) slapd segfaults with specific search on string bdb
 and hdb backend
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1589865158-1366188462-1212434906=:9248
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.LNX.4.64.0806022128461.9248@kehillah.jewish.org.pl>

Hello,
Forwarding as requested, sorry for mislead.
Regards,
PW.

---------- Forwarded message ----------
Date: Mon, 02 Jun 2008 10:33:14 -0700
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Piotr Wadas <pwadas@jewish.org.pl>, openldap-software@openldap.org
Subject: Re: slapd 2.4.7-2.4.9 segfaults with some specific search

Information for your ITS should be sent to the ITS address with the bug num=
ber
in the subject, as the email you were sent after filing the ITS instructed,=
 and
not to openldap-software.  Thanks.

--Quanah

--On May 31, 2008 8:11:46 AM +0200 Piotr Wadas <pwadas@jewish.org.pl>
wrote=
:

>=20
> Hello,
> Regarding http://www.openldap.org/its/index.cgi?findid=3D5541
>=20
> Link to indexes file and full schema, including custom schema
> is mailed to Howard Chu, as I'd like to avoid spreading it.
> It says there's no variable "ava" nor "mr", as below
>=20
> I keep gdb on detached screen, so I additional variables
> need to be printed I have'em at hand.
>=20
> -------------------------------
> (gdb) print *ava->aa_desc
> No symbol "ava" in current context.
> (gdb) print *mr
> No symbol "mr" in current context.
> (gdb) print ava->aa_desc
> No symbol "ava" in current context.
> (gdb) print mr
> No symbol "mr" in current context.
> (gdb) info variables ava
> All variables matching regular expression "ava":
>=20
> Non-debugging symbols:
> 0xb7cc61ac  __set_robust_list_avail
> 0xb7cc61ac  __set_robust_list_avail
> 0xb7c8d10e  not_available
> 0xb7f75da0  available_ciphers
> (gdb) info variables mr
> All variables matching regular expression "mr":
> ----------------
>=20
> But I found this may be also relevant:
>=20
> frame 3:
>=20
> (gdb) frame 3
> # 3  0xb7f18235 in ber_bvarray_free_x (a=3D0xa976b354, ctx=3D0x8279658) a=
t
> /home/pwadas/SRC/SLAPD/DEB249/openldap2.3-2.4.9/libraries/liblber/memory.
> c:731 731                             ber_memfree_x(a[i].bv_val, ctx);
> (gdb) info args
> a =3D (BerVarray) 0xa976b354
> ctx =3D (void *) 0x8279658
> (gdb) print *a
> $30 =3D {bv_len =3D 4, bv_val =3D 0xa976b36c "\200"}
> (gdb) print *a->bv_val
> $31 =3D -128 '\200'
>=20
> frame 4
>=20
>=20
> $44 =3D
> {
>   o_hdr =3D 0x82793b8, o_tag =3D 99, o_time =3D 1212212344, o_tincr =3D 1=
, o_bd =3D
>     0xa9c6af80, o_req_dn =3D
>   {
>   bv_len =3D 29, bv_val =3D 0xa976b154 "dc=3Ddns,dc=3Dnameservers,dc=3Dco=
m,dc=3Deu"}
>   , o_req_ndn =3D
>   {
>   bv_len =3D 29, bv_val =3D 0xa976b1a4 "dc=3Ddns,dc=3Dnameservers,dc=3Dco=
m,dc=3Deu"}
>   , o_request =3D
>   {
>     oq_add =3D
>     {
>     rs_modlist =3D 0x2, rs_e =3D 0x0}
>     , oq_bind =3D
>     {
>       rb_method =3D 2, rb_cred =3D
>       {
>       bv_len =3D 0, bv_val =3D 0xffffffff < Address 0xffffffff out of
bou=
nds
> >}       , rb_edn =3D
>       {
>       bv_len =3D 4294967295, bv_val =3D 0x0}
>       , rb_ssf =3D 0, rb_mech =3D
>       {
>       bv_len =3D 0, bv_val =3D 0xa976b2bc "=A0"}
>     }
>     , oq_compare =3D
>     {
>     rs_ava =3D 0x2}
>     , oq_modify =3D
>     {
>       rs_mods =3D
>       {
>       rs_modlist =3D 0x2, rs_no_opattrs =3D 0 '\0'}
>     , rs_increment =3D -1}
>     , oq_modrdn =3D
>     {
>       rs_mods =3D
>       {
>       rs_modlist =3D 0x2, rs_no_opattrs =3D 0 '\0'}
>       , rs_deleteoldrdn =3D -1, rs_newrdn =3D
>       {
>       bv_len =3D 4294967295, bv_val =3D 0x0}
>       , rs_nnewrdn =3D
>       {
>       bv_len =3D 0, bv_val =3D 0x0}
>     , rs_newSup =3D 0xa976b2bc, rs_nnewSup =3D 0x79}
>     , oq_search =3D
>     {
>       rs_scope =3D 2, rs_deref =3D 0, rs_slimit =3D -1, rs_tlimit =3D
> =09-1, rs_limit =3D 0x0, rs_attrsonly =3D 0, rs_attrs =3D
> =090x0, rs_filter =3D 0xa976b2bc, rs_filterstr =3D
>       {
>       bv_len =3D 121, bv_val =3D
> =09  0xa976b2cc
>=20
> "(&(objectClass=3DdNSDomain)(associatedDomain=3D*fakedomain.com)(customer=
ID=3D1
> 0125)(sOARecord=3D*)(nSRecord=3D*)(topLevelDomain=3DTRUE))"}     }
>     , oq_abandon =3D
>     {
>     rs_msgid =3D 2}
>     , oq_cancel =3D
>     {
>     rs_msgid =3D 2}
>     , oq_extended =3D
>     {
>       rs_reqoid =3D
>       {
>       bv_len =3D 2, bv_val =3D 0x0}
>     , rs_flags =3D -1, rs_reqdata =3D 0xffffffff}
>     , oq_pwdexop =3D
>     {
>       rs_extended =3D
>       {
> =09rs_req

Message of length 6677 truncated


Followup 3

Download message
Date: Mon, 02 Jun 2008 12:39:54 -0700
From: Howard Chu <hyc@symas.com>
To: pwadas@jewish.org.pl
CC: openldap-its@openldap.org
Subject: Re: (ITS#5541) slapd segfaults with specific search on string bdb
 and	hdb backend
pwadas@jewish.org.pl wrote:
>    This message is in MIME format.  The first part should be readable text,
>    while the remaining parts are likely unreadable without MIME-aware
tools.

Looks like you didn't have the correct frame selected before issuing those 
print commands.

At any rate, I suspect this issue has already been fixed in the 2.4.10 release 
candidate. Please test with the 2.4 release in CVS.

>> =20
>> Hello,
>> Regarding http://www.openldap.org/its/index.cgi?findid=3D5541
>> =20
>> Link to indexes file and full schema, including custom schema
>> is mailed to Howard Chu, as I'd like to avoid spreading it.
>> It says there's no variable "ava" nor "mr", as below
>> =20
>> I keep gdb on detached screen, so I additional variables
>> need to be printed I have'em at hand.
>> =20
>> -------------------------------
>> (gdb) print *ava->aa_desc
>> No symbol "ava" in current context.
>> (gdb) print *mr
>> No symbol "mr" in current context.
>> (gdb) print ava->aa_desc
>> No symbol "ava" in current context.
>> (gdb) print mr
>> No symbol "mr" in current context.


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 4

Download message
Date: Mon, 2 Jun 2008 23:25:29 +0200 (CEST)
From: Piotr Wadas <pwadas@jewish.org.pl>
To: Howard Chu <hyc@symas.com>
cc: openldap-its@openldap.org
Subject: Re: (ITS#5541) slapd segfaults with specific search on string bdb
 and hdb backend (closing, already solved)
It works as expected with CVS current OPENLDAP_REL_ENG_2_4
version (didn't test -devel version),
Deep respect & many thanks for your amazing work with free ldap software -
Piotr Wadas

On Mon, 2 Jun 2008, Howard Chu wrote:

> pwadas@jewish.org.pl wrote:
> >    This message is in MIME format.  The first part should be readable
text,
> >    while the remaining parts are likely unreadable without MIME-aware
tools.
> 
> Looks like you didn't have the correct frame selected before issuing those
> print commands.
> 
> At any rate, I suspect this issue has already been fixed in the 2.4.10
release
> candidate. Please test with the 2.4 release in CVS.
> 
> > > =20
> > > Hello,
> > > Regarding http://www.openldap.org/its/index.cgi?findid=3D5541
> > > =20
> > > Link to indexes file and full schema, including custom schema
> > > is mailed to Howard Chu, as I'd like to avoid spreading it.
> > > It says there's no variable "ava" nor "mr", as below
> > > =20
> > > I keep gdb on detached screen, so I additional variables
> > > need to be printed I have'em at hand.
> > > =20
> > > -------------------------------
> > > (gdb) print *ava->aa_desc
> > > No symbol "ava" in current context.
> > > (gdb) print *mr
> > > No symbol "mr" in current context.
> > > (gdb) print ava->aa_desc
> > > No symbol "ava" in current context.
> > > (gdb) print mr
> > > No symbol "mr" in current context.
> 
> 
> 



Followup 5

Download message
Date: Mon, 02 Jun 2008 15:13:57 -0700
From: Howard Chu <hyc@symas.com>
To: Piotr Wadas <pwadas@jewish.org.pl>
CC: openldap-its@openldap.org
Subject: Re: (ITS#5541) slapd segfaults with specific search on string bdb
 and hdb backend (closing, already solved)
Piotr Wadas wrote:
> It works as expected with CVS current OPENLDAP_REL_ENG_2_4
> version (didn't test -devel version),
> Deep respect&  many thanks for your amazing work with free ldap
software -

Thanks for the feedback, glad it's working for you.
This ITS will be closed.

> Piotr Wadas
>
> On Mon, 2 Jun 2008, Howard Chu wrote:
>
>> pwadas@jewish.org.pl wrote:
>>>     This message is in MIME format.  The first part should be
readable text,
>>>     while the remaining parts are likely unreadable without
MIME-aware tools.
>> Looks like you didn't have the correct frame selected before issuing
those
>> print commands.
>>
>> At any rate, I suspect this issue has already been fixed in the 2.4.10
release
>> candidate. Please test with the 2.4 release in CVS.
>>
>>>> =20
>>>> Hello,
>>>> Regarding http://www.openldap.org/its/index.cgi?findid=3D5541
>>>> =20
>>>> Link to indexes file and full schema, including custom schema
>>>> is mailed to Howard Chu, as I'd like to avoid spreading it.
>>>> It says there's no variable "ava" nor "mr", as below
>>>> =20
>>>> I keep gdb on detached screen, so I additional variables
>>>> need to be printed I have'em at hand.
>>>> =20
>>>> -------------------------------
>>>> (gdb) print *ava->aa_desc
>>>> No symbol "ava" in current context.
>>>> (gdb) print *mr
>>>> No symbol "mr" in current context.
>>>> (gdb) print ava->aa_desc
>>>> No symbol "ava" in current context.
>>>> (gdb) print mr
>>>> No symbol "mr" in current context.
>>
>>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org