[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#8592) Double free in sssvlv.c

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8592) Double free in sssvlv.c
From: kevinanties@gmail.com
Date: Mon, 20 Feb 2017 07:45:46 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)
--f403045d9e2209c2250548f17338
Content-Type: text/plain; charset=UTF-8

I have found the cause of the problem. This bug is hard to reproduce unless
we make some change to the source codes. (e.g  put sleep(1) to send_result
function of sssvlv.c)

illustrate steps:

1. A client sends two requests with "server side sort" control flag to
search some entries.

2. The server dispatches two threads (A and B) to handle.

3. Thread A allocate the "so" struct and puts the "so" pointer to the
static array, sort_conns.

4. Thread A can not find any entry.  free_sort_op is going to call at the
end of send_result function.

5. At the same time, before free_sort_op is called, Thread B acquires the
"so" pointer in sssvlv_op_search. It is because the ps_cookie is always
zero for new initialized "so" .

6. free_sort_op is called at Thread A.

7. For thread B, due to op->o_conn->c_pagedresults_state.ps_cookie !=
ps->ps_cookie, ok become 0.

8. free_sort_op is called at Thread B. Double free error occurs. Server
dead.

This bug will cause all slpad server to dead if the sssvlv overlay is
enabled.

I have fixed this problem by adding one boolean flag to sort_op struct to
indicate whether this is occupied or not .

What is the best way to submit my patch?


On Sat, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <quanah@symas.com>
wrote:

> --On Thursday, February 16, 2017 5:06 AM +0000 kevinanties@gmail.com
> wrote:
>
> Full_Name: Kevin
>> Version: 2.40
>> OS: Debian 7
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (218.188.214.98)
>>
>
> Please do not file new ITSes for existing issue.  Please follow up to the
> original ITS with your additional information.
>
> Thanks.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>

--f403045d9e2209c2250548f17338
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><br></div><div>I have found the cause of the problem.=
 This bug is hard to reproduce unless we make some change to the source cod=
es. (e.g=C2=A0 put sleep(1) to send_result function of sssvlv.c)<br><br>ill=
ustrate steps:<br></div><div><br></div><div>1. A client sends two requests =
with &quot;server side sort&quot; control flag to search some entries. <br>=
<br></div><div>2. The server dispatches two threads (A and B) to handle.<br=
><br></div><div>3. Thread A allocate the &quot;so&quot; struct and puts the=
 &quot;so&quot; pointer to the static array, sort_conns.<br></div><div><br>=
</div><div>4. Thread A can not find any entry.=C2=A0 <span class=3D"gmail-p=
l-en">free_sort_op is going to call at the end of send_result function.<br>=
<br></span></div><div><span class=3D"gmail-pl-en">5. At the same time, befo=
re </span><span class=3D"gmail-pl-en">free_sort_op is called, Thread B acqu=
ires the &quot;so&quot; pointer in sssvlv_op_search. It is because the ps_c=
ookie is always zero for new initialized &quot;so&quot; .<br></span></div><=
div><br></div><div>6.  <span class=3D"gmail-pl-en">free_sort_op is called a=
t </span>Thread A.<br><br></div><div>7. For thread B, due to op-&gt;o_conn-=
&gt;c_pagedresults_state.<span class=3D"gmail-pl-smi">ps_cookie !=3D ps-&gt=
;ps_cookie, ok become 0.<br><br>8. </span><span class=3D"gmail-pl-en">free_=
sort_op is called at </span>Thread B. Double free error occurs. Server dead=
.<br><br></div><div>This bug will cause all slpad server to dead if the sss=
vlv overlay is enabled.<br><br></div><div>I have fixed this problem by addi=
ng one boolean flag to sort_op struct to indicate whether this is occupied =
or not . <br><br>What is the best way to submit my patch?<br></div><div><br=
></div><div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sa=
t, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <span dir=3D"ltr">&lt;<a hr=
ef=3D"mailto:quanah@symas.com"; target=3D"_blank">quanah@symas.com</a>&gt;</=
span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">--On Thur=
sday, February 16, 2017 5:06 AM +0000 <a href=3D"mailto:kevinanties@gmail.c=
om" target=3D"_blank">kevinanties@gmail.com</a> wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">
Full_Name: Kevin<br>
Version: 2.40<br>
OS: Debian 7<br>
URL: <a href=3D"ftp://ftp.openldap.org/incoming/"; rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.openldap.org/incomin<wbr>g/</a><br>
Submission from: (NULL) (218.188.214.98)<br>
</blockquote>
<br>
Please do not file new ITSes for existing issue.=C2=A0 Please follow up to =
the original ITS with your additional information.<br>
<br>
Thanks.<br>
<br>
--Quanah<br>
<br>
<br>
--<br>
<br>
Quanah Gibson-Mount<br>
Product Architect<br>
Symas Corporation<br>
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br>
&lt;<a href=3D"http://www.symas.com"; rel=3D"noreferrer" target=3D"_blank">h=
ttp://www.symas.com</a>&gt;<br>
<br>
</blockquote></div><br></div></div></div>

--f403045d9e2209c2250548f17338--
Prev by Date: Re: (ITS#8593) test039 deadlocks
Next by Date: (ITS#8603) [PATCH] adds ldif_open_mem()
Index(es):
- Chronological
- Thread