Full_Name: Howard Chu Version: 2.4 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (73.15.219.210) Submitted by: hyc
If a connection closes while syncprov_search_response is turning the current search op into a detached psearch op, connection_abandon() may get run on the connection while both the original and the detached copy of the op are present on the connection queue. detach_op will append the new copy onto the end of the connection's queue.
connection_abandon will find the original op first, and call into syncprov_op_abandon. syncprov_op_abandon will cause the detached copy to be freed from the si->si_ops list (since both copies have same connid and msgid). If there has been no other activity on the connection, then the original op's o_next will be pointing to the detached copy. connection_abandon is using this o_next to iterate thru the connection's queue. After syncprov frees this copy, connection_abandon will probably SEGV.
The fix is to prevent connection_abandon from calling abandon handlers on an op that has already been abandoned.