[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7127) Syncrepl config uses freed data

To: openldap-its@OpenLDAP.org
Subject: (ITS#7127) Syncrepl config uses freed data
From: h.b.furuseth@usit.uio.no
Date: Thu, 19 Jan 2012 18:40:43 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Hallvard B Furuseth
Version: 2.4.21++, master
OS: 
URL: 
Submission from: (NULL) (195.1.106.125)
Submitted by: hallvard


In syncrepl_config(), ldap_pvt_runqueue_remove() frees 're',
then the retract statement reads 're->routine':

	ldap_pvt_runqueue_remove( &slapd_rq, re );
	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
	if ( ldap_pvt_thread_pool_retract( &connection_pool,
		re->routine, re ) > 0 )

Formally I think the pointer 're' itself is invalid after freeing it,
so the ISO C-clean fix would involve calling retract() first.  If
that's wrong:  I assume the thread pool is paused at this point, so
the task can not be started (and use re) before it can be retracted,
and we can just just read re->routine before freeing re.

Found by Valgrind in test063-delta-multimaster.

Prev by Date: Re: (ITS#7113) broken read-only replica results in assertion failure and crash on master slapd process
Next by Date: Re: (ITS#7127) Syncrepl config uses freed data
Index(es):
- Chronological
- Thread