[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov
From: h.b.furuseth@usit.uio.no
Date: Tue, 11 Jan 2011 09:45:26 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Reopening this ITS...

Howard Chu writes:
>> Full_Name: Hallvard B Furuseth
>> 
>> overlays/syncprov.c:syncprov_findcsn() sets an unchecked limit to 1.
>> findcsn_cb() says
>> 	/* We just want to know that at least one exists, so it's OK if
>> 	 * we exceed the unchecked limit or size limit.
>> 	 */
>> 
>> This looks like it can return a false positive if two or more other
>> entries which the filter would eliminate have the same hash as the
>> value syncprov searches for.
> 
> I don't believe this can cause any problem though. CSN indexing doesn't use a 
> hash the way other indices do; the CSN timestamp is converted to binary form 
> and saved as a 40 bit integer. Index collisions will only occur for multiple 
> changes that occurred within the same 1-second interval.

Only if entryCSN is indexed, which is recommended but not required in
man slapo-syncprov.  With un-indexed entryCSN it'll hit the unchecked
limit if there are two or more entries in scope for the search.

Also - another marginal case - findcsn_cb() assumes adminLimitExceeded
implies a size limit (.size or .unchecked).  It could also mean a hard
time limit.  After someone did ^Z on slapd while stepping through some
debugging, if nothing else.

-- 
Hallvard

Prev by Date: Re: (ITS#6757) SASL canonicalize doesn't work as documented
Next by Date: Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov
Index(es):
- Chronological
- Thread