[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4380) Using extensible matching can crash slapd

Full_Name: Kevin Spicer
Version: 2.3.18 + patches
OS: Solaris 9 sparc
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I've found that I can crash slapd using the following ldapsearch command...

ldapsearch -b "ou=machines,dc=mydomain,dc=com" -s sub '(:dn:'


ldapsearch -b "ou=machines,dc=mydomain,dc=com" -s sub

This is on 2.3.18 with patches for ITS#
4316,4324,4326,4331,4334,4336,4338,4339,select logging level.

interesting to note that 
ldapsearch -b "ou=machines,dc=mydomain,dc=com" -s sub '(:dn:'
doesn't crash slapd.

Heres a backtrace from the core file...
#0  0x00000000 in ?? ()
#1  0x00076ee0 in asserted_value_validate_normalize (ad=0x0, mr=0x36f8b8,
    usage=2049, in=0xf87ff920, out=0xf87ff90c, text=0xf87ffd44, ctx=0x4263f8)
    at value.c:157
#2  0x000c104c in get_mra (op=0x1f94a60, ber=0x24868c8, mra=0xf87ff9cc,
    text=0xf87ffd44) at mra.c:194
#3  0x00052d8c in get_filter (op=0x1f94a60, ber=0x24868c8, filt=0x1f94aa0,
    text=0xf87ffd44) at filter.c:256
#4  0x00050e6c in do_search (op=0x1f94a60, rs=0xf87ffd30) at search.c:127
#5  0x0004dde4 in connection_operation (ctx=0xf87ffe08, arg_v=0x1f94a60)
    at connection.c:1307
#6  0x0016d7a4 in ldap_int_thread_pool_wrapper (xpool=0x379328) at tpool.c:479
#7  0xfef157bc in _lwp_start () from /usr/lib/libthread.so.1
#8  0xfef157bc in _lwp_start () from /usr/lib/libthread.so.1
Previous frame identical to this frame (corrupt stack?)