[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov

Reopening this ITS...

Howard Chu writes:
>> Full_Name: Hallvard B Furuseth
>> overlays/syncprov.c:syncprov_findcsn() sets an unchecked limit to 1.
>> findcsn_cb() says
>> 	/* We just want to know that at least one exists, so it's OK if
>> 	 * we exceed the unchecked limit or size limit.
>> 	 */
>> This looks like it can return a false positive if two or more other
>> entries which the filter would eliminate have the same hash as the
>> value syncprov searches for.
> I don't believe this can cause any problem though. CSN indexing doesn't use a 
> hash the way other indices do; the CSN timestamp is converted to binary form 
> and saved as a 40 bit integer. Index collisions will only occur for multiple 
> changes that occurred within the same 1-second interval.

Only if entryCSN is indexed, which is recommended but not required in
man slapo-syncprov.  With un-indexed entryCSN it'll hit the unchecked
limit if there are two or more entries in scope for the search.

Also - another marginal case - findcsn_cb() assumes adminLimitExceeded
implies a size limit (.size or .unchecked).  It could also mean a hard
time limit.  After someone did ^Z on slapd while stepping through some
debugging, if nothing else.