[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5050) array bounds violation in test045-syncreplication-proxied

To: openldap-its@OpenLDAP.org
Subject: (ITS#5050) array bounds violation in test045-syncreplication-proxied
From: h.b.furuseth@usit.uio.no
Date: Wed, 18 Jul 2007 20:19:18 GMT

Full_Name: Hallvard B Furuseth
Version: HEAD, RE23
OS: Linux
URL: 
Submission from: (NULL) (129.240.202.105)
Submitted by: hallvard


syncprov + back-ldap, and presumably + back-meta if that were used,
give an array bounds violation in test045-syncreplication-proxied:

syncprov_db_open() uses connection_fake_init(), which sets op->o_tag=0.
It passes op to back-ldap.

ldap_back_op_result() assumes op is a known LDAP request: It calls
slap_req2op() and gets SLAP_OP_LAST (for unknown tag).  That is used as
an index into ldapinfo_t.li_timeout[], which has size SLAP_OP_LAST.

back-meta/bind.c does the same in meta_back_bind_op_result() and
meta_back_op_result().

HEAD backtrace, from an assert(0) I put in slap_req2op():

#3  0x003d8d91 in __assert_fail () from /lib/tls/libc.so.6
#4  0x0809ac0e in slap_req2op (tag=0) at operation.c:203
#5  0x0816dba8 in ldap_back_op_result (lc=0x83a12f8, op=0xbfffe948,
rs=0xbfffe70c, msgid=1, timeout=-1, sendok=20) at bind.c:1582
#6  0x0816d727 in ldap_back_dobind_int (lcp=0xbfffe760, op=0xbfffe948,
rs=0xbfffe70c, sendok=LDAP_BACK_GETCONN, retries=0, dolock=1)
    at bind.c:1411
#7  0x0816d814 in ldap_back_dobind (lcp=0xbfffe760, op=0xbfffe948,
rs=0xbfffe70c, sendok=LDAP_BACK_DONTSEND) at bind.c:1440
#8  0x0812921a in ldap_back_entry_get (op=0xbfffe948, ndn=0x833b2a8, oc=0x0,
at=0x82ec610, rw=0, ent=0xbfffe944) at search.c:790
#9  0x080f7a55 in overlay_entry_get_ov (op=0xbfffe948, dn=0x833b2a8, oc=0x0,
ad=0x82ec610, rw=0, e=0xbfffe944, on=0x0) at backover.c:365
#10 0x081bd9da in syncprov_db_open (be=0x833a8a0) at syncprov.c:2550
#11 0x080f70b2 in over_db_func (be=0x833a8a0, which=db_open) at backover.c:61
#12 0x080f74c9 in over_db_open (be=0x833a8a0) at backover.c:174
#13 0x08092515 in backend_startup_one (be=0x833a8a0) at backend.c:212
#14 0x080929a2 in backend_startup (be=0x833a8a0) at backend.c:303
#15 0x080b9a94 in slap_startup (be=0x0) at init.c:243
#16 0x0806719d in main (argc=8, argv=0xbfffef14) at main.c:919

Prev by Date: (ITS#5049) uninitialized Connection in syncprov
Next by Date: (ITS#5051) Translucent overlay and back-monitor
Index(es):
- Chronological
- Thread