[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7127) Syncrepl config uses freed data

Full_Name: Hallvard B Furuseth
Version: 2.4.21++, master
Submission from: (NULL) (
Submitted by: hallvard

In syncrepl_config(), ldap_pvt_runqueue_remove() frees 're',
then the retract statement reads 're->routine':

	ldap_pvt_runqueue_remove( &slapd_rq, re );
	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
	if ( ldap_pvt_thread_pool_retract( &connection_pool,
		re->routine, re ) > 0 )

Formally I think the pointer 're' itself is invalid after freeing it,
so the ISO C-clean fix would involve calling retract() first.  If
that's wrong:  I assume the thread pool is paused at this point, so
the task can not be started (and use re) before it can be retracted,
and we can just just read re->routine before freeing re.

Found by Valgrind in test063-delta-multimaster.