Reopening this ITS...

Howard Chu writes:

...

Full_Name: Hallvard B Furuseth

overlays/syncprov.c:syncprov_findcsn() sets an unchecked limit to 1. findcsn_cb() says /* We just want to know that at least one exists, so it's OK if * we exceed the unchecked limit or size limit. */

This looks like it can return a false positive if two or more other entries which the filter would eliminate have the same hash as the value syncprov searches for.

I don't believe this can cause any problem though. CSN indexing doesn't use a hash the way other indices do; the CSN timestamp is converted to binary form and saved as a 40 bit integer. Index collisions will only occur for multiple changes that occurred within the same 1-second interval.

Only if entryCSN is indexed, which is recommended but not required in man slapo-syncprov. With un-indexed entryCSN it'll hit the unchecked limit if there are two or more entries in scope for the search.

Also - another marginal case - findcsn_cb() assumes adminLimitExceeded implies a size limit (.size or .unchecked). It could also mean a hard time limit. After someone did ^Z on slapd while stepping through some debugging, if nothing else.