BDB coredump in test008, bad e->e_dn (ITS#2595)

[h.b.furuseth@usit.uio.no]

Full_Name: Hallvard B Furuseth
Version: HEAD as of Jun 11 16:30
OS: Solaris
URL: 
Submission from: (NULL) (129.240.186.42)
Submitted by: hallvard


Coredump in BDB access_allowed() debug output: Printing e->e_dn which is
NULL, even though e->e_name.bv_len (e->e_dn's supposed length) is 48.
I have saved the coredump for the time being.

This is HEAD as of Jun 11 16:30.
back-bdb/cache.c is rev 1.40, if that is of any interest.

bash$ gdb ../servers/slapd/slapd core
Core was generated by `../servers/slapd/slapd -s0 -f ./test-db/slapd.conf -h
ldap://localhost:9009/ -d'.
Program terminated with signal 11, Segmentation fault.
#0  0xfef33200 in strlen () from /usr/lib/libc.so.1
(gdb) set radix 16
Input and output radices now set to decimal 16, hex 10, octal 20.
(gdb) bt
#0  0xfef33200 in strlen () from /usr/lib/libc.so.1
#1  0xfef86210 in _doprnt () from /usr/lib/libc.so.1
#2  0xfef88384 in vsnprintf () from /usr/lib/libc.so.1
#3  0x000c94c8 in lutil_debug (debug=0xfbf3fa88, level=0x80, 
    fmt=0x168a28 "=> access_allowed: %s access to \"%s\" \"%s\" requested\n")
    at debug.c:313
#4  0x0004b300 in access_allowed (op=0x290900, e=0x15de7c0, desc=0x232c40, 
    val=0x1df2178, access=ACL_SEARCH, state=0x0) at acl.c:169
#5  0x0004a068 in test_ava_filter (op=0x290900, e=0x15de7c0, ava=0x1df2174, 
    type=0xa3) at filterentry.c:382
#6  0x00049960 in test_filter (op=0x290900, e=0x15de7c0, f=0x1df219c)
    at filterentry.c:116
#7  0x00074cf4 in bdb_do_search (op=0x290900, rs=0xfc001ad8, sop=0x290900, 
    ps_e=0x0, ps_type=0x0) at search.c:1115
#8  0x00073724 in bdb_search (op=0x290900, rs=0xfc001ad8) at search.c:357
#9  0x0003718c in do_search (op=0x290900, rs=0xfc001ad8) at search.c:395
#10 0x00035194 in connection_operation (ctx=0xfc001b80, arg_v=0x290900)
    at connection.c:978
#11 0x000a7974 in ldap_int_thread_pool_wrapper (xpool=0x223e00) at tpool.c:463
(gdb) frame 4
#4  0x0004b300 in access_allowed (op=0x290900, e=0x15de7c0, desc=0x232c40, 
    val=0x1df2178, access=ACL_SEARCH, state=0x0) at acl.c:169
169            access2str( access ), e->e_dn, attr );
(gdb) list
164            "access_allowed: %s access to \"%s\" \"%s\" requested\n",
165            access2str( access ), e->e_dn, attr );
166    #else
167        Debug( LDAP_DEBUG_ACL,
168            "=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
169            access2str( access ), e->e_dn, attr );
170    #endif
171    
172        if ( op == NULL ) {
173            /* no-op call */
(gdb) print access
$1 = ACL_SEARCH
(gdb) print e
$2 = (Entry *) 0x15de7c0
(gdb) print e->e_dn
There is no member named e_dn.
(gdb) print e->e_name.bv_val
$3 = 0x0
(gdb) print attr
$4 = 0x22c890 "cn"
(gdb) print *e
$5 = {e_id = 0x9a, e_name = {bv_len = 0x30, bv_val = 0x0}, e_nname = {
    bv_len = 0x30, bv_val = 0x0}, e_attrs = 0x0, e_ocflags = 0x20, e_bv = {
    bv_len = 0x0, bv_val = 0x0}, e_private = 0x0}
(gdb) frame 7
#7  0x00074cf4 in bdb_do_search (op=0x290900, rs=0xfc001ad8, sop=0x290900, 
    ps_e=0x0, ps_type=0x0) at search.c:1115
1115                    rs->sr_err = test_filter( sop,
(gdb) print e
$7 = (Entry *) 0x15de7c0
(gdb) print base
$8 = {e_id = 0x1, e_name = {bv_len = 0x0, bv_val = 0x0}, e_nname = {
    bv_len = 0x1d, bv_val = 0x20f5120 "o=university of michigan,c=us"}, 
  e_attrs = 0x0, e_ocflags = 0x0, e_bv = {bv_len = 0x0, bv_val = 0x0}, 
  e_private = 0x26e7c0}
(gdb) print matched
$9 = (Entry *) 0x0
(gdb) print ei
$10 = (EntryInfo *) 0x15de600
(gdb) print *ei
$11 = {bei_parent = 0x26e7c0, bei_id = 0x9a, bei_state = 0x3, bei_nrdn = {
    bv_len = 0x12, bv_val = 0x29afe0 "cn=james a jones 5"}, bei_e = 0x15de7c0, 
  bei_kids = 0x0, bei_kids_mutex = {__pthread_mutex_flags = {
      __pthread_mutex_flag1 = 0x0, __pthread_mutex_flag2 = 0x0, 
      __pthread_mutex_ceiling = 0x0, __pthread_mutex_type = 0x0, 
      __pthread_mutex_magic = 0x0}, __pthread_mutex_lock = {
      __pthread_mutex_lock64 = {__pthread_mutex_pad = "\0\0\0\0\0\0\0"}, 
      __pthread_mutex_lock32 = {__pthread_ownerpid = 0x0, 
        __pthread_lockword = 0x0}, __pthread_mutex_owner64 = 0x0}, 
    __pthread_mutex_data = 0x0}, bei_lrunext = 0x26e200, bei_lruprev = 0x0}
(gdb) print realbase
$12 = {bv_len = 0x1d, bv_val = 0x20f5120 "o=university of michigan,c=us"}
(gdb) print tentries
$13 = 0x9c
(gdb) print attrs
$14 = (AttributeName *) 0x1df21f4
(gdb) print *attrs
$15 = {an_name = {bv_len = 0x2, bv_val = 0x292fcc "cn"}, an_desc = 0x232c40, 
  an_oc = 0x0}
(gdb) print entry_count
No symbol "entry_count" in current context.
(gdb) print isroot
$16 = 0x0
(gdb) print locker
$17 = 0x10
(gdb) print lock
$18 = {off = 0x44b90, ndx = 0x34f, gen = 0x1cfb, mode = DB_LOCK_READ}

Test output:

./scripts/test008-concurrency . bdb yes yes
running defines.sh
Datadir is ./data
Cleaning up in ./test-db...
Running slapadd to build slapd database...
Waiting 5 seconds for slapadd to build slapd database...
Starting slapd on TCP/IP port 9009...
Using ldapsearch to check that slapd is running...
Waiting 5 seconds for slapd to start...
Using tester for concurrent server access...
PID=5284 - Read(1000): entry="cn=Barbara Jensen, ou=Information Technology
Division, ou=People, o=University of Michigan, c=US".
PID=5283 - Search(500): base="o=University of Michigan,c=US", filter="cn=Barbara
Jensen".
PID=5285 - Modrdn(50): entry="cn=Dorothy Stevens,ou=Alumni
Association,ou=People,o=University of Michigan,c=US".
PID=5297 - Modrdn(50): entry="cn=James A Jones 2,ou=Information Technology
Division,ou=People,o=University of Michigan,c=US".
PID=5300 - Read(1000): entry="cn=James A Jones 1, ou=Alumni Association,
ou=People, o=University of Michigan, c=US".
PID=5296 - Read(1000): entry="ou=Alumni Association, ou=People, o=University of
Michigan, c=US".
PID=5286 - Add/Delete(50): entry="cn=James A Jones 2,ou=Alumni
Association,ou=People,o=University of Michigan,c=US".
PID=5293 - Modrdn(50): entry="cn=Ursula Hampster,ou=Alumni
Association,ou=People,o=University of Michigan,c=US".
PID=5294 - Add/Delete(50): entry="cn=James A Jones 4,ou=People,o=University of
Michigan,c=US".
PID=5295 - Search(500): base="o=University of Michigan,c=US", filter="cn=Bjorn
Jensen".
PID=5288 - Read(1000): entry="cn=ITD Staff,ou=Groups,o=University of
Michigan,c=US".
PID=5299 - Search(500): base="o=University of Michigan,c=US", filter="cn=Alumni
Assoc Staff".
PID=5289 - Modrdn(50): entry="cn=John Doe,ou=Information Technology
Division,ou=People,o=University of Michigan,c=US".
PID=5291 - Search(500): base="o=University of Michigan,c=US", filter="cn=James A
Jones 1".
PID=5292 - Read(1000): entry="ou=Groups, o=University of Michigan, c=US".
PID=5298 - Add/Delete(50): entry="cn=James A Jones 5,o=University of
Michigan,c=US".
PID=5290 - Add/Delete(50): entry="cn=James A Jones 3,ou=Alumni
Association,ou=People,o=University of Michigan,c=US".
PID=5287 - Search(500): base="o=University of Michigan,c=US", filter="cn=Bjorn
Jensen".
 PID=5285 - Modrdn done.
 PID=5297 - Modrdn done.
 PID=5293 - Modrdn done.
 PID=5289 - Modrdn done.
ldap_read: Can't contact LDAP server (81)
 PID=5296 - Read done.
ldap_search: Can't contact LDAP server (81)
 PID=5291 - Search done.
ldap_search: Can't contact LDAP server (81)
 PID=5283 - Search done.
ldap_search: Can't contact LDAP server (81)
 PID=5287 - Search done.
ldap_read: Can't contact LDAP server (81)
 PID=5284 - Read done.
ldap_read: Can't contact LDAP server (81)
 PID=5292 - Read done.
ldap_read: Can't contact LDAP server (81)
 PID=5300 - Read done.
ldap_search: Can't contact LDAP server (81)
 PID=5299 - Search done.
ldap_read: Can't contact LDAP server (81)
 PID=5288 - Read done.
ldap_search: Can't contact LDAP server (81)
 PID=5295 - Search done.
ldap_delete: Can't contact LDAP server (81)
 PID=5290 - Add/Delete done.
ldap_delete: Can't contact LDAP server (81)
 PID=5294 - Add/Delete done.
ldap_add: Can't contact LDAP server (81)
 PID=5298 - Add/Delete done.
ldap_add: Can't contact LDAP server (81)
 PID=5286 - Add/Delete done.
5274 Segmentation Fault - core dumped