[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov

Hallvard B Furuseth wrote:
> Reopening this ITS...
> Howard Chu writes:
>>> Full_Name: Hallvard B Furuseth
>>> overlays/syncprov.c:syncprov_findcsn() sets an unchecked limit to 1.
>>> findcsn_cb() says
>>> 	/* We just want to know that at least one exists, so it's OK if
>>> 	 * we exceed the unchecked limit or size limit.
>>> 	 */
>>> This looks like it can return a false positive if two or more other
>>> entries which the filter would eliminate have the same hash as the
>>> value syncprov searches for.
>> I don't believe this can cause any problem though. CSN indexing doesn't use a
>> hash the way other indices do; the CSN timestamp is converted to binary form
>> and saved as a 40 bit integer. Index collisions will only occur for multiple
>> changes that occurred within the same 1-second interval.
> Only if entryCSN is indexed, which is recommended but not required in
> man slapo-syncprov.  With un-indexed entryCSN it'll hit the unchecked
> limit if there are two or more entries in scope for the search.
> Also - another marginal case - findcsn_cb() assumes adminLimitExceeded
> implies a size limit (.size or .unchecked).  It could also mean a hard
> time limit.  After someone did ^Z on slapd while stepping through some
> debugging, if nothing else.

Wrong. AdminLimitExceeded ONLY means unchecked here. Otherwise it would be 
SizeLimitExceeded (or TimeLimitExceeded).

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/