[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl crasher (ITS#3297)



Full_Name: Luke Howard
Version: 2.2.15
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (203.13.32.92)


syncrepl can crash due a double free.

==12526== Thread 6:
==12526== Invalid free() / delete / delete[]
==12526==    at 0x1B905391: free (vg_replace_malloc.c:153)
==12526==    by 0x1B9474EF: ber_memfree_x (memory.c:153)
==12526==    by 0x808160C: ch_free (ch_malloc.c:159)
==12526==    by 0x8072406: entry_free (entry.c:426)
==12526==    by 0x80AEB1D: do_syncrep2 (syncrepl.c:548)
==12526==    by 0x80AF868: do_syncrepl (syncrepl.c:861)
==12526==    by 0x1B913303: ldap_int_thread_pool_wrapper (tpool.c:467)
==12526==    by 0x1BB7597B: thread_wrapper (vg_libpthread.c:867)
==12526==    by 0xB000F7E1: do__quit (vg_scheduler.c:1861)
==12526==  Address 0x1C2DB3F8 is 0 bytes inside a block of size 40 free'd
==12526==    at 0x1B905391: free (vg_replace_malloc.c:153)
==12526==    by 0x1B9474EF: ber_memfree_x (memory.c:153)
==12526==    by 0x808160C: ch_free (ch_malloc.c:159)
==12526==    by 0x8072406: entry_free (entry.c:426)
==12526==    by 0x80AFFF9: syncrepl_message_to_entry (syncrepl.c:1060)
==12526==    by 0x80AEA5F: do_syncrep2 (syncrepl.c:534)
==12526==    by 0x80AF868: do_syncrepl (syncrepl.c:861)
==12526==    by 0x1B913303: ldap_int_thread_pool_wrapper (tpool.c:467)
==12526==    by 0x1BB7597B: thread_wrapper (vg_libpthread.c:867)
==12526==    by 0xB000F7E1: do__quit (vg_scheduler.c:1861)

Patch, which I will commit, follows:

Index: syncrepl.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/syncrepl.c,v
retrieving revision 1.130
diff -u -r1.130 syncrepl.c
--- syncrepl.c  20 Aug 2004 14:26:58 -0000      1.130
+++ syncrepl.c  23 Aug 2004 23:18:52 -0000
@@ -1088,7 +1088,7 @@
        ber_free ( ber, 0 );
        if ( rc != LDAP_SUCCESS ) {
                entry_free( e );
-               e = NULL;
+               *entry = e = NULL;
        }
 
        return rc;