[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3800) libldap abandon issue

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3800) libldap abandon issue
From: ando@sys-net.it
Date: Thu, 30 Jun 2005 14:31:28 GMT

I think I've hit the real issue: the ld_abandoned array can be modified by
two different portions of code:

1) do_abandon() in libldap/abandon.c, which reallocs the array while
protected behind ld_req_mutex

2) ldap_mark_abandoned() in libldap/result.c, which shifts the msgid of
the abandoned requests while protected behind ld_res_mutex

The contents of the array is also accessed by ldap_abandoned() in
libldap/result.c, while protected behind ld_res_mutex

Note though that two different mutexes are used to protect access to the
same data, so conflicts can well occur.  For instance, I just spotted a
run past end in ldap_abandoned() where i == 20812 violates a memory
segment, while gdb shows that the array terminator -1 is actually located
at i == 4058.

I think this portion of code needs be rearranged, but I'm still wondering
how.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: (ITS#3809) db library detection procedure
Next by Date: (ITS#3817) slapadd (glue?) dumps core under ridiculous situations
Index(es):
- Chronological
- Thread