[Date Prev][Date Next] [Chronological] [Thread] [Top]

crasher in try_read2msg() (ITS#2212)



Full_Name: Luke Howard
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (165.228.130.11)


I noticed that after adding some referrals to my directory, I was getting random
crashes in our LDAP clients, usually as the assertion in ber_sockbuf_ctrl()
failing.

I ran valgrind and found the following:

==23637== Invalid read of size 2
==23637==    at 0x40283A08: ber_sockbuf_ctrl (sockbuf.c:82)
==23637==    by 0x402582E1: try_read1msg (result.c:897)
==23637==    by 0x402575C4: wait4msg (result.c:354)
==23637==    by 0x40259430: ldap_search_ext_s (search.c:148)
==23637==    by 0x405EB13D: xad_ds__search (ds_result.c:136)
==23637==    by 0x405EB3ED: xad_ds__reconnecting_search (ds_result.c:222)
==23637==    by 0x405EB4BB: xad_ds_search (ds_result.c:252)
==23637==    by 0x405EB5B2: xad_ds_search_one (ds_result.c:291)
==23637==    by 0x402464A2: xad_pgo_crack_single_name (pgo_names.c:746)
==23637==    by 0x40246C4D: xad_pgo_get_token_groups (pgo_names.c:1006)
==23637==    by 0x405DC824: xad_sec_make_ms_pac_info (sec_ad.c:547)
==23637==    by 0x405DC90B: xad_sec_make_pac (sec_ad.c:598)
==23637==    by 0x8048BF0: dump_pac (makepac.c:34)
==23637==    by 0x8048DD2: main (makepac.c:80)
==23637==    by 0x4062D627: __libc_start_main
(../sysdeps/generic/libc-start.c:129)
==23637==    by 0x8048A31: (within
/home/lukeh/CVSRoot/padl/XAD/src/tools/makepac/.libs/makepac)
==23637==    Address 0x4181C2D4 is 0 bytes inside a block of size 28 free'd
==23637==    at 0x40047542: free (in /usr/lib/valgrind/valgrind.so)
==23637==    by 0x405E7728: xad_free (core.c:193)
==23637==    by 0x40282CB6: ber_memfree (memory.c:151)
==23637==    by 0x402839C1: ber_sockbuf_free (sockbuf.c:70)
==23637==    by 0x40265BEF: ldap_free_connection (request.c:495)
==23637==    by 0x4025810F: try_read1msg (result.c:792)
==23637==    by 0x402575C4: wait4msg (result.c:354)
==23637==    by 0x40259430: ldap_search_ext_s (search.c:148)
==23637==    by 0x405EB13D: xad_ds__search (ds_result.c:136)
==23637==    by 0x405EB3ED: xad_ds__reconnecting_search (ds_result.c:222)
==23637==    by 0x405EB4BB: xad_ds_search (ds_result.c:252)
==23637==    by 0x405EB5B2: xad_ds_search_one (ds_result.c:291)
==23637==    by 0x402464A2: xad_pgo_crack_single_name (pgo_names.c:746)
==23637==    by 0x40246C4D: xad_pgo_get_token_groups (pgo_names.c:1006)
==23637==    by 0x405DC824: xad_sec_make_ms_pac_info (sec_ad.c:547)
==23637==    by 0x405DC90B: xad_sec_make_pac (sec_ad.c:598)
==23637==    by 0x8048BF0: dump_pac (makepac.c:34)
==23637==    by 0x8048DD2: main (makepac.c:80)
==23637==    by 0x4062D627: __libc_start_main
(../sysdeps/generic/libc-start.c:129)
==23637==    by 0x8048A31: (within
/home/lukeh/CVSRoot/padl/XAD/src/tools/makepac/.libs/makepac)
==23637==

The code paths in try_read1msg() are pretty complicated, so I didn't diagnose
the exact problem, but the following fix works (at the possible expense of
leaking memory):

Index: result.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/result.c,v
retrieving revision 1.74
diff -u -r1.74 result.c
--- result.c    24 Oct 2002 21:51:34 -0000      1.74
+++ result.c    28 Nov 2002 00:52:58 -0000
@@ -787,9 +787,11 @@
                                ldap_free_request( ld, lr );
                        }
 
+#if 0
                        if ( lc != NULL ) {
                                ldap_free_connection( ld, lc, 0, 1 );
                        }
+#endif
                }
        }

This might also explain a similar crash I saw in slapd when using the
"subordinate" glue.