[Date Prev][Date Next]
Re: (ITS#7127) Syncrepl config uses freed data
> Full_Name: Hallvard B Furuseth
> Version: 2.4.21++, master
> Submission from: (NULL) (220.127.116.11)
> Submitted by: hallvard
> In syncrepl_config(), ldap_pvt_runqueue_remove() frees 're',
> then the retract statement reads 're->routine':
> ldap_pvt_runqueue_remove(&slapd_rq, re );
> ldap_pvt_thread_mutex_unlock(&slapd_rq.rq_mutex );
> if ( ldap_pvt_thread_pool_retract(&connection_pool,
> re->routine, re )> 0 )
> Formally I think the pointer 're' itself is invalid after freeing it,
> so the ISO C-clean fix would involve calling retract() first. If
> that's wrong: I assume the thread pool is paused at this point, so
> the task can not be started (and use re) before it can be retracted,
> and we can just just read re->routine before freeing re.
Makes sense. Fixed in master.
> Found by Valgrind in test063-delta-multimaster.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/