[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7542) slapd segfault on modify

To: openldap-its@OpenLDAP.org
Subject: (ITS#7542) slapd segfault on modify
From: m.gr@gmx.de
Date: Mon, 18 Mar 2013 18:07:39 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Matthias Grau
Version: 2.4.34
OS: debian 6.7.0 x64
URL: ftp://ftp.openldap.org/incoming/matthias.grau.130318.bz2
Submission from: (NULL) (94.217.193.246)


slapd can cause a segfault when sorting values in modify operation.
Under rare circumstances modify.c:802: jstack += 2; can reach a value of greater
63 which leads to an overwritten pointer for AttributeDescription.

Changing the size of istack from sizeof(int) * 16 to sizeof(int)*16 + 1 solves
the segfault. But I don't think that's the correct solution.
As shown here:
http://theory.stanford.edu/~amitp/rants/c++-vs-c/test5.cc
there should be a condition to break if jstack reaches the size of of istack.



root@debian:/root# gdb /usr/local/libexec/slapd 
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/libexec/slapd...done.
(gdb) r  -h ldap://localhost:389 -f /root/slapd.conf -d 0
Starting program: /usr/local/libexec/slapd -h ldap://localhost:389 -f
/root/slapd.conf -d 0
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff6dc8700 (LWP 3728)]
[New Thread 0x7ffff65c7700 (LWP 3730)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff65c7700 (LWP 3730)]
0x000000000045135b in ordered_value_match (match=0x7ffff65c56cc, ad=0x17c4,
mr=0x92ddb0, flags=269, v1=0xcc0820, v2=0x7ffff65c56b0, text=0x7ffff65c6a90) at
value.c:633
633		if ( ad->ad_type->sat_flags & SLAP_AT_ORDERED ) {
(gdb) bt
#0  0x000000000045135b in ordered_value_match (match=0x7ffff65c56cc, ad=0x17c4,
mr=0x92ddb0, flags=269, v1=0xcc0820, v2=0x7ffff65c56b0, text=0x7ffff65c6a90) at
value.c:633
#1  0x000000000044b71c in slap_sort_vals (ml=0xca8900, text=0x7ffff65c6a90,
dup=0x7ffff65c587c, ctx=0x0) at modify.c:741
#2  0x000000000044b497 in slap_mods_check (op=0xaae2a0, ml=0xca8900,
text=0x7ffff65c6a90, textbuf=0x7ffff65c6900 "", textlen=256, ctx=0x0) at
modify.c:652
#3  0x000000000044a125 in do_modify (op=0xaae2a0, rs=0x7ffff65c6a70) at
modify.c:168
#4  0x000000000042a7b0 in connection_operation (ctx=0x7ffff65c6ba0,
arg_v=0xaae2a0) at connection.c:1150
#5  0x000000000042ad51 in connection_read_thread (ctx=0x7ffff65c6ba0, argv=0xd)
at connection.c:1286
#6  0x00000000005ad930 in ldap_int_thread_pool_wrapper (xpool=<value optimized
out>) at tpool.c:688
#7  0x00007ffff784f8ca in start_thread () from /lib/libpthread.so.0
#8  0x00007ffff7169b6d in clone () from /lib/libc.so.6
#9  0x0000000000000000 in ?? ()
(gdb) p ad
$1 = (AttributeDescription *) 0x17c4
(gdb) p *ad
Cannot access memory at address 0x17c4
(gdb)

Prev by Date: Re: (ITS#7540) syncrepl "replicates" entries with unknown schema elements
Next by Date: Re: (ITS#7542) slapd segfault on modify
Index(es):
- Chronological
- Thread