[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
crasher in try_read2msg() (ITS#2212)
Full_Name: Luke Howard
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (165.228.130.11)
I noticed that after adding some referrals to my directory, I was getting random
crashes in our LDAP clients, usually as the assertion in ber_sockbuf_ctrl()
failing.
I ran valgrind and found the following:
==23637== Invalid read of size 2
==23637== at 0x40283A08: ber_sockbuf_ctrl (sockbuf.c:82)
==23637== by 0x402582E1: try_read1msg (result.c:897)
==23637== by 0x402575C4: wait4msg (result.c:354)
==23637== by 0x40259430: ldap_search_ext_s (search.c:148)
==23637== by 0x405EB13D: xad_ds__search (ds_result.c:136)
==23637== by 0x405EB3ED: xad_ds__reconnecting_search (ds_result.c:222)
==23637== by 0x405EB4BB: xad_ds_search (ds_result.c:252)
==23637== by 0x405EB5B2: xad_ds_search_one (ds_result.c:291)
==23637== by 0x402464A2: xad_pgo_crack_single_name (pgo_names.c:746)
==23637== by 0x40246C4D: xad_pgo_get_token_groups (pgo_names.c:1006)
==23637== by 0x405DC824: xad_sec_make_ms_pac_info (sec_ad.c:547)
==23637== by 0x405DC90B: xad_sec_make_pac (sec_ad.c:598)
==23637== by 0x8048BF0: dump_pac (makepac.c:34)
==23637== by 0x8048DD2: main (makepac.c:80)
==23637== by 0x4062D627: __libc_start_main
(../sysdeps/generic/libc-start.c:129)
==23637== by 0x8048A31: (within
/home/lukeh/CVSRoot/padl/XAD/src/tools/makepac/.libs/makepac)
==23637== Address 0x4181C2D4 is 0 bytes inside a block of size 28 free'd
==23637== at 0x40047542: free (in /usr/lib/valgrind/valgrind.so)
==23637== by 0x405E7728: xad_free (core.c:193)
==23637== by 0x40282CB6: ber_memfree (memory.c:151)
==23637== by 0x402839C1: ber_sockbuf_free (sockbuf.c:70)
==23637== by 0x40265BEF: ldap_free_connection (request.c:495)
==23637== by 0x4025810F: try_read1msg (result.c:792)
==23637== by 0x402575C4: wait4msg (result.c:354)
==23637== by 0x40259430: ldap_search_ext_s (search.c:148)
==23637== by 0x405EB13D: xad_ds__search (ds_result.c:136)
==23637== by 0x405EB3ED: xad_ds__reconnecting_search (ds_result.c:222)
==23637== by 0x405EB4BB: xad_ds_search (ds_result.c:252)
==23637== by 0x405EB5B2: xad_ds_search_one (ds_result.c:291)
==23637== by 0x402464A2: xad_pgo_crack_single_name (pgo_names.c:746)
==23637== by 0x40246C4D: xad_pgo_get_token_groups (pgo_names.c:1006)
==23637== by 0x405DC824: xad_sec_make_ms_pac_info (sec_ad.c:547)
==23637== by 0x405DC90B: xad_sec_make_pac (sec_ad.c:598)
==23637== by 0x8048BF0: dump_pac (makepac.c:34)
==23637== by 0x8048DD2: main (makepac.c:80)
==23637== by 0x4062D627: __libc_start_main
(../sysdeps/generic/libc-start.c:129)
==23637== by 0x8048A31: (within
/home/lukeh/CVSRoot/padl/XAD/src/tools/makepac/.libs/makepac)
==23637==
The code paths in try_read1msg() are pretty complicated, so I didn't diagnose
the exact problem, but the following fix works (at the possible expense of
leaking memory):
Index: result.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/result.c,v
retrieving revision 1.74
diff -u -r1.74 result.c
--- result.c 24 Oct 2002 21:51:34 -0000 1.74
+++ result.c 28 Nov 2002 00:52:58 -0000
@@ -787,9 +787,11 @@
ldap_free_request( ld, lr );
}
+#if 0
if ( lc != NULL ) {
ldap_free_connection( ld, lc, 0, 1 );
}
+#endif
}
}
This might also explain a similar crash I saw in slapd when using the
"subordinate" glue.