(ITS#8804) repeated crashes using chaning

[klaus.jungbauer@is4it.de]

Full_Name: Klaus Jungbauer
Version: 2.4.45
OS: RHEL 7.4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.135.30.210)


I tried to use slapd within a productive environment where the slapd uses its
mdb to resolve technical accounts and netgroups while real user accounts have to
be resolved at AD. To do this a proxy was configured with chaining to resolve
referrals.
This configuration leads to very often crashes within an interval from 3 to 60
seconds (!):
slapd: chain.c:226: ldap_chain_uri_cmp: Assertion `!((&li2->li_bvuri[ 0
])->bv_val == ((void *)0))' failed.

Using gdb i can see the crashes were caused by chain.c:226 or 227 coming from
chain.c:831.

Going deeper i saw that the assert checking li_bvuri uses a pointer at
li_bvuri.bv_val which was an allocated mem at insertion time of node to tree
which gets freed at chain:893. This points to a strange memory (mis)management.
As a quick and dirty hack i changed chain:893 and chain.c:620 from
'ldap_memfree( li.li_uri );' to 'if ( temporary ) ldap_memfree( li.li_uri );'
and inserted 'if (li2->li_bvuri[0].bv_len == 0 || li2->li_bvuri[0].bv_val ==
NULL) return -1;' below chain.c:225. With this changes slapd runs about half a
day.

Adding a Debug statement like 'Debug( 256, "#### uri_cmp:
li2->li_bvuri[0].{bv_len=%d, bv_val='%s'}\n", li2->li_bvuri[0].bv_len,
li2->li_bvuri[0].bv_val, 0 );' at end of chain.c:225 shows strange outputs
like:
5a82a1de #### uri_cmp: li2->li_bvuri[0].{bv_len=-967084369, bv_val='(null)'}

I expect another place in code adds nodes to tree too - with unresolved
pointers.

cn=config was created by slaptest from slapd.conf. I uploaded slapd.conf as
slapd.conf_chain_provider__klaus.jungbauer@is4it.de to your ftp server. See
RedHat Ticket #02027931 too.
What do you need on additional files like config, logs, ...? 

Kind regards
Klaus Jungbauer