[Date Prev][Date Next] [Chronological] [Thread] [Top]

derefDN locking problem (ITS#597)

Full_Name: Wesley Craig
Version: 1.2.11
OS: Solaris 2.6
Submission from: (NULL) (

In derefDN(), in back-ldbm/alias.c around line 281, there are two
calls, dn2entry_r() and derefAlias_r(), both of which are assumed to
return a locked entry.  However, these entries are actually the same,
unless the first actually contained an alias.  Moreover, since the entry
was only locked in dn2entry_r(), not in derefAlias_r(), the *two* calls
to cache_return_entry_r() cause the RDWR lock to possibly go negative.
Once the RDWR lock has been corrupted, wackiness ensues.

I found this bug by insert consistency checking in the RDWR code, e.g.
that the count of readers, writers, and waiters should never be negative.
The server immediately showed the error when doing ldapsearch with -a always.
Since I'm not sure what derefDN() is supposed to be doing, I'm at a lose
to fix it.