[Date Prev][Date Next]
Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov
- From: firstname.lastname@example.org
- Date: Tue, 11 Jan 2011 20:16:07 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Hallvard B Furuseth wrote:
> Reopening this ITS...
> Howard Chu writes:
>>> Full_Name: Hallvard B Furuseth
>>> overlays/syncprov.c:syncprov_findcsn() sets an unchecked limit to 1.
>>> findcsn_cb() says
>>> /* We just want to know that at least one exists, so it's OK if
>>> * we exceed the unchecked limit or size limit.
>>> This looks like it can return a false positive if two or more other
>>> entries which the filter would eliminate have the same hash as the
>>> value syncprov searches for.
>> I don't believe this can cause any problem though. CSN indexing doesn't use a
>> hash the way other indices do; the CSN timestamp is converted to binary form
>> and saved as a 40 bit integer. Index collisions will only occur for multiple
>> changes that occurred within the same 1-second interval.
> Only if entryCSN is indexed, which is recommended but not required in
> man slapo-syncprov. With un-indexed entryCSN it'll hit the unchecked
> limit if there are two or more entries in scope for the search.
> Also - another marginal case - findcsn_cb() assumes adminLimitExceeded
> implies a size limit (.size or .unchecked). It could also mean a hard
> time limit. After someone did ^Z on slapd while stepping through some
> debugging, if nothing else.
Wrong. AdminLimitExceeded ONLY means unchecked here. Otherwise it would be
SizeLimitExceeded (or TimeLimitExceeded).
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/