[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8232) potential crash from syncprov_op_abandon

To: openldap-its@OpenLDAP.org
Subject: (ITS#8232) potential crash from syncprov_op_abandon
From: hyc@openldap.org
Date: Sat, 29 Aug 2015 18:44:20 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Howard Chu
Version: 2.4
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (73.15.219.210)
Submitted by: hyc


If a connection closes while syncprov_search_response is turning the current
search op into a detached psearch op, connection_abandon() may get run on the
connection while both the original and the detached copy of the op are present
on the connection queue. detach_op will append the new copy onto the end of the
connection's queue.

connection_abandon will find the original op first, and call into
syncprov_op_abandon. syncprov_op_abandon will cause the detached copy to be
freed from the si->si_ops list (since both copies have same connid and msgid).
If there has been no other activity on the connection, then the original op's
o_next will be pointing to the detached copy. connection_abandon is using this
o_next to iterate thru the connection's queue. After syncprov frees this copy,
connection_abandon will probably SEGV.

The fix is to prevent connection_abandon from calling abandon handlers on an op
that has already been abandoned.

Prev by Date: regression from ITS#8042
Next by Date: Re: (ITS#8230) [PATCH] totp: bug fixes and improvements
Index(es):
- Chronological
- Thread