[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4023) rewrite_session_var_set_f() bugs

To: openldap-its@OpenLDAP.org
Subject: (ITS#4023) rewrite_session_var_set_f() bugs
From: h.b.furuseth@usit.uio.no
Date: Mon, 12 Sep 2005 13:15:08 GMT

Full_Name: Hallvard B Furuseth
Version: HEAD
OS: Linux
URL: 
Submission from: (NULL) (129.240.186.42)
Submitted by: hallvard


In test039 with bdb, rewrite_session_var_set_f() calls
rewrite_session_return() which unlocks session->ls_mutex which is not
locked.  From a brief look at the code, I think it comes from
rewrite_session_init() when it returns a new session - without locking
the mutex.

Also, rewrite_session_var_set_f() will crash if rewrite_session_init()
returns NULL.

It's the third slapd in test039:

(gdb) backtrace
...
#3  0x0818d6f7 in error (file=0x823d422 "thr_debug.c", line=758, msg=0x823da68
"ldap_pvt_thread_mutex_unlock", var=0x823d769 "rc", val=1)
    at thr_debug.c:238 (a private thread debug package)
#4  0x0818ee7e in ldap_pvt_thread_mutex_unlock (mutex=0x830bc18) at
thr_debug.c:758
#5  0x0817f582 in rewrite_session_return (info=0x82bed68, session=0x830bc08) at
session.c:181
#6  0x0817f792 in rewrite_session_var_set_f (info=0x82bed68, cookie=0xb7bfbbe8,
name=0xb7c63205 "searchFilter", 
    value=0xb72f802c "(objectClass=*)", flags=15) at session.c:234
#7  0xb7c5defd in rwm_op_search (op=0x830b928, rs=0xb77f9210) at rwm.c:672
#8  0x080e54a8 in overlay_op_walk (op=0x830b928, rs=0xb77f9210, which=op_search,
oi=0x82a6bc8, on=0x82a6cc0) at backover.c:480
#9  0x080e56de in over_op_func (op=0x830b928, rs=0xb77f9210, which=op_search) at
backover.c:540
#10 0x080e5762 in over_op_search (op=0x830b928, rs=0xb77f9210) at
backover.c:562
#11 0x0807e7a5 in do_search (op=0x830b928, rs=0xb77f9210) at search.c:219
#12 0x0807bcd5 in connection_operation (ctx=0xb77f92a4, arg_v=0x830b928) at
connection.c:1061
#13 0x0818c6cc in ldap_int_thread_pool_wrapper (xpool=0x828c790) at tpool.c:485
#14 0x00bf9341 in start_thread () from /lib/tls/libpthread.so.0
#15 0x00a79fee in clone () from /lib/tls/libc.so.6
(gdb) frame 6
#6  0x0817f792 in rewrite_session_var_set_f (info=0x82bed68, cookie=0xb7bfbbe8,
name=0xb7c63205 "searchFilter", 
    value=0xb72f802c "(objectClass=*)", flags=15) at session.c:234
234             rewrite_session_return( info, session );
(gdb) set print pretty
(gdb) print *info
$4 = {
  li_context = 0x82a7f98, 
  li_maps = 0x0, 
  li_params = 0x0, 
  li_cookies = 0x82fe818, 
  li_num_cookies = 1, 
  li_params_mutex = {
    wrapped = 0x82a6eb8, 
    usage = {
      ptr = 0x12345678 <Address 0x12345678 out of bounds>, 
      num = 305419896
    }
  }, 
  li_cookies_mutex = {
    wrapped = 0x82a6e18, 
    usage = {
      ptr = 0x12345678 <Address 0x12345678 out of bounds>, 
      num = 305419896
    }
  }, 
  li_state = 1, 
  li_max_passes = 100, 
  li_max_passes_per_rule = 100, 
  li_rewrite_mode = 19
}
(gdb) print *session
$5 = {
  ls_cookie = 0xb7bfbbe8, 
  ls_vars = 0x830bd28, 
  ls_vars_mutex = {
    wrapped = 0x830bc40, 
    usage = {
      ptr = 0x12345678 <Address 0x12345678 out of bounds>, 
      num = 305419896
    }
  }, 
  ls_mutex = {
    wrapped = {
      __m_reserved = 0, 
      __m_count = 0, 
      __m_owner = 0x0, 
      __m_kind = 2, 
      __m_lock = {
        __status = 0, 
        __spinlock = 0
      }
    }, 
    usage = {
      ptr = 0x12345678 <Address 0x12345678 out of bounds>, 
      num = 305419896
    }
  }, 
  ls_count = 1
}

Prev by Date: (ITS#4021) slapd refuses use of password-hash {CLEARTEXT}
Next by Date: Re: (ITS#4023) rewrite_session_var_set_f() bugs
Index(es):
- Chronological
- Thread