[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7692) segfault in overlay constraint - constraint_check_restrict (op=0x7fffa8000960, c=0x9e60f0, e=0x0) at constraint.c:713

Full_Name: Clement OUDOT
Version: 2.4.35
OS: CentOS 6 64bits
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (83.145.72.122)


I use the overlay constraint to check that a value of the attribute ssoRoles
exists in the directory. The configuration looks like this:

----------------------------------------------
overlay constraint
constraint_attribute ssoRoles uri
ldap:///ou=applications,dc=cirra,dc=net?entrydn?sub?(&(objectClass=organizationalUnit)(ou:dn:=roles))
restrict="ldap:///ou=users,dc=cirra,dc=net??one?(objectClass=inetOrgPerson)"
----------------------------------------------

An ldapmodify with this LDIF crash the slapd process:
----------------------------------------------
dn: uid=toto,ou=users,dc=cirra,dc=net
changetype: modify
add: ssoRoles
ssoRoles: ou=ROLE_PES,ou=roles,ou=simabo,ou=applications,dc=cirra,dc=net
----------------------------------------------

The crash occurs because the entry uid=toto,ou=users,dc=cirra,dc=net do not
exist. The same LDIF on an existing entry works well.


Below is the stacktrace generated with gdb:
----------------------------------------------

(gdb) run -d 0
Starting program: /usr/local/openldap/libexec/slapd -d 0
[Thread debugging using libthread_db enabled]
[New Thread 0x7fffb3d42700 (LWP 16519)]
[New Thread 0x7fffb3541700 (LWP 16521)]
[New Thread 0x7fffb2d40700 (LWP 16522)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffb2d40700 (LWP 16522)]
constraint_check_restrict (op=0x7fffa8000960, c=0x9e60f0, e=0x0) at
constraint.c:713
713                     int diff = e->e_nname.bv_len - c->restrict_ndn.bv_len;
Missing separate debuginfos, use: debuginfo-install
berkeleydb-ltb-4.6.21.NC-4.el6.patch4.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-ldap-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64 db4-4.7.25-17.el6.x86_64
glibc-2.12-1.107.el6.x86_64 keyutils-libs-1.4-4.el6.x86_64
krb5-libs-1.10.3-10.el6.x86_64 libcom_err-1.41.12-14.el6.x86_64
libselinux-2.0.94-5.3.el6.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64 openssl-1.0.0-27.el6.x86_64
zlib-1.2.3-29.el6.x86_64
(gdb) bt full
#0  constraint_check_restrict (op=0x7fffa8000960, c=0x9e60f0, e=0x0) at
constraint.c:713
        diff = <value optimized out>
        __PRETTY_FUNCTION__ = "constraint_check_restrict"
#1  0x000000000054b39f in constraint_update (op=<value optimized out>,
rs=0x7fffb2d3f950) at constraint.c:989
        j = <value optimized out>
        ce = 0
        on = 0x9e5e30
        be = 0x7fffb2d3e4e0
        c = 0x9e60f0
        cp = <value optimized out>
        target_entry = 0x0
        target_entry_copy = 0x0
        modlist = 0x7fffa8000920
        m = 0x7fffa8000920
        b = 0x7fffa81015c0
        i = <value optimized out>
        rsv = {bv_len = 24, bv_val = 0x60f2a4 "modify breaks constraint"}
        rc = <value optimized out>
        msg = 0x0
        is_v = <value optimized out>
#2  0x00000000004a6d7a in overlay_op_walk (op=0x7fffa8000960, rs=0x7fffb2d3f950,
which=op_modify, oi=0x9e1020, on=0x9e5e30)
    at backover.c:661
        func = 0x9e5e88
        rc = 32768
#3  0x00000000004a7847 in over_op_func (op=0x7fffa8000960, rs=<value optimized
out>, which=<value optimized out>)
    at backover.c:723
        oi = <value optimized out>
        on = <value optimized out>
        be = 0x9ba220
        db = {bd_info = 0x9e5e30, bd_self = 0x9ba220,
          be_ctrls =
"\000\000\000\001\001\001\000\001\000\000\001\000\000\001\001\000\001\000\000\001",
'\000' <repeats 12 times>, "\001", be_flags = 2312, be_restrictops = 0,
be_requires = 0, be_ssf_set = {sss_ssf = 0, sss_transport = 0,
            sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0, sss_update_transport
= 0, sss_update_tls = 0,
            sss_update_sasl = 0, sss_simple_bind = 0}, be_suffix = 0x9dca20,
be_nsuffix = 0x9dca50, be_schemadn = {
            bv_len = 0, bv_val = 0x0}, be_schemandn = {bv_len = 0, bv_val =
0x0}, be_rootdn = {bv_len = 26,
            bv_val = 0x9dcb70 "cn=manager,dc=cirra,dc=net"}, be_rootndn =
{bv_len = 26,
            bv_val = 0x9dcbc0 "cn=manager,dc=cirra,dc=net"}, be_rootpw = {bv_len
= 38,
            bv_val = 0x9dc8b0 "{SSHA}2S9rqrduHEq4AcNIfS+wxClQwbD5aoLn"},
be_max_deref_depth = 15, be_def_limit = {
            lms_t_soft = 3600, lms_t_hard = 0, lms_s_soft = 500, lms_s_hard = 0,
lms_s_unchecked = -1, lms_s_pr = 0,
            lms_s_pr_hide = 0, lms_s_pr_total = 0}, be_limits = 0x9e01a0, be_acl
= 0x9b9850, be_dfltaccess = ACL_READ,
          be_extra_anlist = 0x0, be_update_ndn = {bv_len = 0, bv_val = 0x0},
be_update_refs = 0x0,
---Type <return> to continue, or q <return> to quit---
          be_pending_csn_list = 0xa6f7f0, be_pcl_mutex = {__data = {__lock = 0,
__count = 0, __owner = 0, __nusers = 0,
              __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}},
__size = '\000' <repeats 39 times>,
            __align = 0}, be_syncinfo = 0x0, be_pb = 0x0, be_cf_ocs = 0x8838c0,
be_private = 0x9ba3c0, be_next = {
            stqe_next = 0x9e6470}}
        cb = {sc_next = 0x0, sc_response = 0x4a6af0 <over_back_response>,
sc_cleanup = 0, sc_private = 0x9e1020}
        sc = <value optimized out>
        rc = 32768
        __PRETTY_FUNCTION__ = "over_op_func"
#4  0x000000000045728b in fe_op_modify (op=0x7fffa8000960, rs=0x7fffb2d3f950) at
modify.c:303
        update = <value optimized out>
        repl_user = <value optimized out>
        op_be = <value optimized out>
        bd = 0x88c200
        textbuf = ">\000\000\000\000\000\000\000\240\030\020\250\377\177\000\000\000\000\000\000\000\000\000\000@\026\020\250\377\177\000\000\240\235G\000\000\000\000\000\267\244E",
'\000' <repeats 13 times>, "\003\000\000\000\060\000\000\000[\000\000\000|",
'\000' <repeats 11 times>, "\b", '\000' <repeats 31 times>,
">\000\000\000\000\000\000\000\360\025\020\250\377\177\000\000\000\000\000\000\000\000\000\000
\t\000\250\377\177\000\000\000\000\000\000\000\000\000\000@É
                                                                                
                  #5  0x0000000000457bb6 in do_modify (op=0x7fffa8000960,
rs=0x7fffb2d3f950) at modify.c:177
        dn = {bv_len = 33, bv_val = 0x7fffa8101507
"uid=toto,ou=users,dc=cirra,dc=net"}
        textbuf = "\027\f\000\250\377\177", '\000' <repeats 42 times>,
"PG\253\367\000\000\000\000P\333\377\367\377\177\000\000\000\000A", '\000'
<repeats 13 times>, "\030f@\000\000\000\000\000Y\345`\237\064", '\000' <repeats
11 times>"\351, \363[\000\000\000\000\000`\t\000\250\377\177\000\000\340\024\302\236\064\000\000\000\377\377\377\377\377\177\000\000\030\372Ó²\377\177\000\000\210\021\302\236\064\000\000\000@\304X\237\064",
'\000' <repeats 11 times>,
":\236\240\236\064\000\000\000\320\016\000\250\377\177\000\000\000\000\020\000\000\000\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\260\372Ó²\377\177\000\000\360.I",
'\000' <repeats 13 times>,
"\t\000\000\000\062\000\000\000`\t\000\250\377\177\000\000\320\016\000\250\377\177\000"
        tmp = <value optimized out>
#6  0x000000000043f9a9 in connection_operation (ctx=0x7fffb2d3fab0,
arg_v=0x7fffa8000960) at connection.c:1155
        rc = 80
        cancel = <value optimized out>
        op = 0x7fffa8000960
        rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0,
          sr_ctrls = 0x0, sr_un = {sru_search = {r_entry = 0x0, r_attr_flags =
0, r_operational_attrs = 0x0, r_attrs = 0x0,
              r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0},
sru_extended = {r_rspoid = 0x0,
              r_rspdata = 0x0}}, sr_flags = 0}
        tag = 102
        opidx = SLAP_OP_MODIFY
        conn = 0x7ffff632bc10
---Type <return> to continue, or q <return> to quit---
        memctx = 0x7fffa8000ed0
        memctx_null = 0x0
        memsiz = 1048576
        __PRETTY_FUNCTION__ = "connection_operation"
#7  0x0000000000440195 in connection_read_thread (ctx=0x7fffb2d3fab0,
argv=<value optimized out>) at connection.c:1291
        rc = <value optimized out>
        cri = {op = 0x7fffa8000960, func = 0, arg = 0x0, ctx = 0x7fffb2d3fab0,
nullop = <value optimized out>}
        s = <value optimized out>
#8  0x0000000000593d00 in ldap_int_thread_pool_wrapper (xpool=0x960c00) at
tpool.c:688
        pool = 0x960c00
        task = 0x7fffac0008c0
        work_list = <value optimized out>
        ctx = {ltu_id = 140736193627904, ltu_key = {{ltk_key = 0x43e7c0,
ltk_data = 0x7fffa8000dc0,
              ltk_free = 0x43e890 <conn_counter_destroy>}, {ltk_key = 0x492d40,
ltk_data = 0x7fffa8000ed0,
              ltk_free = 0x492d60 <slap_sl_mem_destroy>}, {ltk_key = 0xa6f810,
ltk_data = 0x7fffa8100f80,
              ltk_free = 0x4f7280 <bdb_reader_free>}, {ltk_key = 0x452ba0,
ltk_data = 0x0,
              ltk_free = 0x452970 <slap_op_q_destroy>}, {ltk_key = 0x0, ltk_data
= 0x0, ltk_free = 0} <repeats 25 times>, {
              ltk_key = 0x0, ltk_data = 0x349f607eea, ltk_free = 0}, {ltk_key =
0x0, ltk_data = 0x0, ltk_free = 0}, {
              ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0}}}
        kctx = <value optimized out>
        keyslot = 555
        hash = <value optimized out>
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#9  0x000000349f607851 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#10 0x000000349f2e890d in clone () from /lib64/libc.so.6
No symbol table info available.
(gdb)


----------------------------------------------



Please tell me if something else is needed in this bug report.


Regards,


Clement OUDOT.