[Issue 9262] Segmentation Fault on ldap_chain_op during Network Issues

https://bugs.openldap.org/show_bug.cgi?id=9262

--- Comment #1 from edeity@gmail.com --- We've encountered a similar segfault.

Program terminated with signal SIGSEGV, Segmentation fault. #0 ldap_chain_op (op=op@entry=0x7f32a812df70, rs=rs@entry=0x7f32bd14b9a0, op_f=0x56207ba8aa50 <ldap_back_search>, ref=ref@entry=0x0, depth=depth@entry=0) at chain.c:422 422 for ( ; !BER_BVISNULL( ref ); ref++ ) {

The segfault occurred because ref itself is NULL as you can see, and BER_BVISNULL checks for ref->by_val:

# include/lber_pvt.h 217 #define BER_BVISNULL(bv) ((bv)->bv_val == NULL)

Our backtrace contains:

#bt #0 ldap_chain_op (op=op@entry=0x7fb1f018d820, rs=rs@entry=0x7fb21bffe9a0, op_f=0x55a4b9a9ca50 <ldap_back_search>, ref=ref@entry=0x0, depth=depth@entry=0) at chain.c:422 #1 0x000055a4b9aec883 in ldap_chain_response (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at chain.c:1061 #2 0x000055a4b9a711e8 in over_back_response (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at backover.c:237 #3 0x000055a4b9a147f6 in slap_response_play (op=op@entry=0x7fb1f018d820, rs=rs@entry=0x7fb21bffe9a0) at result.c:508 #4 0x000055a4b9a14d50 in send_ldap_response (op=op@entry=0x7fb1f018d820, rs=rs@entry=0x7fb21bffe9a0) at result.c:583 #5 0x000055a4b9a158f2 in slap_send_ldap_result (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at result.c:861 #6 0x000055a4b9ab3750 in mdb_search (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at search.c:552 ...

In our case, we got here from ldap_chain_response, which defines ref as:

# servers/slapd/back-ldap/chain.c 955 static int 956 ldap_chain_response( Operation *op, SlapReply *rs ) 957 { .. 967 BerVarray ref;

However, in this case, it's value comes from rs->sr_ref, which does get set to NULL in various locations in the code in some situations and therefore appears to be a valid value.

1025 ref = rs->sr_ref; 1026 rs->sr_ref = NULL; ... 1062 case LDAP_REQ_DELETE: 1063 rc = ldap_chain_op( op, rs, op_delete, ref, 0 );

The assumption of the check at chain.c:422 seems to be that ref itself won't be NULL. We're working to identify the circumstances that get us to this.