https://bugs.openldap.org/show_bug.cgi?id=9262
--- Comment #1 from edeity@gmail.com --- We've encountered a similar segfault.
Program terminated with signal SIGSEGV, Segmentation fault. #0 ldap_chain_op (op=op@entry=0x7f32a812df70, rs=rs@entry=0x7f32bd14b9a0, op_f=0x56207ba8aa50 <ldap_back_search>, ref=ref@entry=0x0, depth=depth@entry=0) at chain.c:422 422 for ( ; !BER_BVISNULL( ref ); ref++ ) {
The segfault occurred because ref itself is NULL as you can see, and BER_BVISNULL checks for ref->by_val:
# include/lber_pvt.h 217 #define BER_BVISNULL(bv) ((bv)->bv_val == NULL)
Our backtrace contains:
#bt #0 ldap_chain_op (op=op@entry=0x7fb1f018d820, rs=rs@entry=0x7fb21bffe9a0, op_f=0x55a4b9a9ca50 <ldap_back_search>, ref=ref@entry=0x0, depth=depth@entry=0) at chain.c:422 #1 0x000055a4b9aec883 in ldap_chain_response (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at chain.c:1061 #2 0x000055a4b9a711e8 in over_back_response (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at backover.c:237 #3 0x000055a4b9a147f6 in slap_response_play (op=op@entry=0x7fb1f018d820, rs=rs@entry=0x7fb21bffe9a0) at result.c:508 #4 0x000055a4b9a14d50 in send_ldap_response (op=op@entry=0x7fb1f018d820, rs=rs@entry=0x7fb21bffe9a0) at result.c:583 #5 0x000055a4b9a158f2 in slap_send_ldap_result (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at result.c:861 #6 0x000055a4b9ab3750 in mdb_search (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at search.c:552 ...
In our case, we got here from ldap_chain_response, which defines ref as:
# servers/slapd/back-ldap/chain.c 955 static int 956 ldap_chain_response( Operation *op, SlapReply *rs ) 957 { .. 967 BerVarray ref;
However, in this case, it's value comes from rs->sr_ref, which does get set to NULL in various locations in the code in some situations and therefore appears to be a valid value.
1025 ref = rs->sr_ref; 1026 rs->sr_ref = NULL; ... 1062 case LDAP_REQ_DELETE: 1063 rc = ldap_chain_op( op, rs, op_delete, ref, 0 );
The assumption of the check at chain.c:422 seems to be that ref itself won't be NULL. We're working to identify the circumstances that get us to this.