[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3404) sockber stack SEGVs

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3404) sockber stack SEGVs
From: hyc@symas.com
Date: Fri, 3 Dec 2004 16:33:20 GMT

richton@nbcs.rutgers.edu wrote:

>I was playing around with this a bit and found the following situation.
>I'm not sure if it's relevant or not, but it caught my eye because it
>combines ber/syncrepl (which Jong-Hyuk thinks might be trouble, and what I
>know to be trouble...)
>
><rtc> Read from uninitialized (rui) on thread 3:
>Attempting to read 1 byte at address 0x62357d
>    which is 5 bytes into a heap block of size 4060 bytes at 0x623578
>This block was allocated from:
>        [1] ber_memalloc_x() at line 232 in "memory.c"
>        [2] ber_memrealloc_x() at line 314 in "memory.c"
>        [3] ber_realloc() at line 136 in "io.c"
>        [4] ber_write() at line 87 in "io.c"
>        [5] ber_init() at line 365 in "io.c"
>        [6] parseLDAPsync() at line 1387 in "controls.c"
>        [7] get_ctrls() at 0x965b8
>        [8] do_search() at line 196 in "search.c"
>Location of error:
>current thread: t@3
>=>[1] ber_getnint(ber = 0x63dae0, num = 0xa7bff998, len = 1U), line 232 in "decode.c"
>  [2] ber_get_int(ber = 0x63dae0, num = 0xa7bff998), line 252 in "decode.c"
>  [3] ber_scanf(ber = 0x63dae0, fmt = 0x1d1ca1 "i", ...), line 711 in "decode.c"
>  [4] parseLDAPsync(op = 0x625008, rs = -1480589992, ctrl = 6548404), line 1393 in "controls.c"
>  [5] get_ctrls(0x625008, 0xa7bffd58, 0x1, 0xa7bffcc8, 0x0, 0x625040), at 0x965b8
>  [6] do_search(op = 0x625008, rs = 0xa7bffd58), line 196 in "search.c"
>  [7] connection_operation(ctx = 0xa7bffe14, arg_v = 0x625008), line 1079 in "connection.c"
>  [8] ldap_int_thread_pool_wrapper(xpool = 0x558bf8), line 467 in "tpool.c"
>
>
>  
>
That seems simple enough, try this patch:

Index: controls.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/controls.c,v
retrieving revision 1.72.2.20
diff -u -r1.72.2.20 controls.c
--- controls.c  29 Jun 2004 21:45:49 -0000      1.72.2.20
+++ controls.c  3 Dec 2004 16:30:33 -0000
@@ -508,6 +508,8 @@

                        c->ldctl_iscritical = (crit != 0);
                        tag = ber_peek_tag( ber, &len );
+               } else {
+                       c->ldctl_iscritical = 0;
                }

                if( tag == LBER_OCTETSTRING ) {
@@ -531,6 +533,8 @@
                                rs->sr_text = "decoding controls error";
                                goto return_results;
                        }
+               } else {
+                       BER_BVZERO( &c->ldctl_value );
                }

 #ifdef NEW_LOGGING

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Prev by Date: Re: slapd hangs connections to ldap server with CLOSE_WAIT
Next by Date: Re: (ITS#3413) HEAD segfaults after idletimeout statement
Index(es):
- Chronological
- Thread