[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8592) Double free in sssvlv.c
--f403045d9e2209c2250548f17338
Content-Type: text/plain; charset=UTF-8
I have found the cause of the problem. This bug is hard to reproduce unless
we make some change to the source codes. (e.g put sleep(1) to send_result
function of sssvlv.c)
illustrate steps:
1. A client sends two requests with "server side sort" control flag to
search some entries.
2. The server dispatches two threads (A and B) to handle.
3. Thread A allocate the "so" struct and puts the "so" pointer to the
static array, sort_conns.
4. Thread A can not find any entry. free_sort_op is going to call at the
end of send_result function.
5. At the same time, before free_sort_op is called, Thread B acquires the
"so" pointer in sssvlv_op_search. It is because the ps_cookie is always
zero for new initialized "so" .
6. free_sort_op is called at Thread A.
7. For thread B, due to op->o_conn->c_pagedresults_state.ps_cookie !=
ps->ps_cookie, ok become 0.
8. free_sort_op is called at Thread B. Double free error occurs. Server
dead.
This bug will cause all slpad server to dead if the sssvlv overlay is
enabled.
I have fixed this problem by adding one boolean flag to sort_op struct to
indicate whether this is occupied or not .
What is the best way to submit my patch?
On Sat, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <quanah@symas.com>
wrote:
> --On Thursday, February 16, 2017 5:06 AM +0000 kevinanties@gmail.com
> wrote:
>
> Full_Name: Kevin
>> Version: 2.40
>> OS: Debian 7
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (218.188.214.98)
>>
>
> Please do not file new ITSes for existing issue. Please follow up to the
> original ITS with your additional information.
>
> Thanks.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
--f403045d9e2209c2250548f17338
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><br></div><div>I have found the cause of the problem.=
This bug is hard to reproduce unless we make some change to the source cod=
es. (e.g=C2=A0 put sleep(1) to send_result function of sssvlv.c)<br><br>ill=
ustrate steps:<br></div><div><br></div><div>1. A client sends two requests =
with "server side sort" control flag to search some entries. <br>=
<br></div><div>2. The server dispatches two threads (A and B) to handle.<br=
><br></div><div>3. Thread A allocate the "so" struct and puts the=
"so" pointer to the static array, sort_conns.<br></div><div><br>=
</div><div>4. Thread A can not find any entry.=C2=A0 <span class=3D"gmail-p=
l-en">free_sort_op is going to call at the end of send_result function.<br>=
<br></span></div><div><span class=3D"gmail-pl-en">5. At the same time, befo=
re </span><span class=3D"gmail-pl-en">free_sort_op is called, Thread B acqu=
ires the "so" pointer in sssvlv_op_search. It is because the ps_c=
ookie is always zero for new initialized "so" .<br></span></div><=
div><br></div><div>6. <span class=3D"gmail-pl-en">free_sort_op is called a=
t </span>Thread A.<br><br></div><div>7. For thread B, due to op->o_conn-=
>c_pagedresults_state.<span class=3D"gmail-pl-smi">ps_cookie !=3D ps->=
;ps_cookie, ok become 0.<br><br>8. </span><span class=3D"gmail-pl-en">free_=
sort_op is called at </span>Thread B. Double free error occurs. Server dead=
.<br><br></div><div>This bug will cause all slpad server to dead if the sss=
vlv overlay is enabled.<br><br></div><div>I have fixed this problem by addi=
ng one boolean flag to sort_op struct to indicate whether this is occupied =
or not . <br><br>What is the best way to submit my patch?<br></div><div><br=
></div><div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sa=
t, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <span dir=3D"ltr"><<a hr=
ef=3D"mailto:quanah@symas.com" target=3D"_blank">quanah@symas.com</a>></=
span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">--On Thur=
sday, February 16, 2017 5:06 AM +0000 <a href=3D"mailto:kevinanties@gmail.c=
om" target=3D"_blank">kevinanties@gmail.com</a> wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">
Full_Name: Kevin<br>
Version: 2.40<br>
OS: Debian 7<br>
URL: <a href=3D"ftp://ftp.openldap.org/incoming/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.openldap.org/incomin<wbr>g/</a><br>
Submission from: (NULL) (218.188.214.98)<br>
</blockquote>
<br>
Please do not file new ITSes for existing issue.=C2=A0 Please follow up to =
the original ITS with your additional information.<br>
<br>
Thanks.<br>
<br>
--Quanah<br>
<br>
<br>
--<br>
<br>
Quanah Gibson-Mount<br>
Product Architect<br>
Symas Corporation<br>
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br>
<<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h=
ttp://www.symas.com</a>><br>
<br>
</blockquote></div><br></div></div></div>
--f403045d9e2209c2250548f17338--