https://bugs.openldap.org/show_bug.cgi?id=9553
Issue ID: 9553 Summary: Segfault in mdb_txn_abort handler caused by uninitialized pointer in mdb_reader_flush Product: OpenLDAP Version: 2.4.58 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs@openldap.org Reporter: jrddunbr@amazon.com Target Milestone: ---
This is for OpenLDAP 2.4.58, git commit 350ede08564ab14a45884c6f7c32419d98a75468 best I can tell.
I have located an issue in mdb_reader_flush where it appears that an uninitialized pointer causes segfaults when threading is disabled.
In the following function: https://git.openldap.org/openldap/openldap/-/blob/350ede08564ab14a45884c6f7c...
``` void mdb_reader_flush( MDB_env *env ) { void *data; void *ctx = ldap_pvt_thread_pool_context(); if ( !ldap_pvt_thread_pool_getkey( ctx, env, &data, NULL ) ) { ldap_pvt_thread_pool_setkey( ctx, env, NULL, 0, NULL, NULL ); mdb_reader_free( env, data ); } } ```
the `void *data;` gets random values and is not initialized to NULL; when there is no thread pool the functions after it return without doing anything, and that pointer is passed down into mdb_reader_free, which passes down to mdb_txn_abort, where it is (recursively) de-referenced until the pointer is NULL. This causes a segfault, as that condition is not reached before it tries reading invalid memory addresses.
The fix appears to be to make the following modification:
Change `void *data;` to `void *data = NULL;`.
I don't actually know much about the internals of this application, so I wanted to make sure that this is the correct solution before making a pull request for it.
Apologies if my C terminology is not up to snuff; this is not my forte.