Full_Name: Ralf Haferkamp Version: HEAD, RE24 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (92.252.30.227) Submitted by: ralf

slapd in current HEAD and RE24 crashes when the last object from the database is deleted and re-added. Valgrind gives me this (during the ldapadd operation):

==11646== Invalid read of size 8 ==11646== at 0x52E4F2: bdb_cache_lru_link (cache.c:137) ==11646== by 0x530762: hdb_cache_add (cache.c:1191) ==11646== by 0x52C8D9: hdb_add (add.c:484) ==11646== by 0x44A43D: fe_op_add (add.c:334) ==11646== by 0x449DB0: do_add (add.c:194) ==11646== by 0x4410E6: connection_operation (connection.c:1123) ==11646== by 0x441672: connection_read_thread (connection.c:1259) ==11646== by 0x4E3C51C: ldap_int_thread_pool_wrapper (tpool.c:685) ==11646== by 0x6EB206F: start_thread (in /lib64/libpthread-2.9.so) ==11646== by 0x719A10C: clone (in /lib64/libc-2.9.so) ==11646== Address 0x9b25740 is 128 bytes inside a block of size 144 free'd ==11646== at 0x4C243AF: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==11646== by 0x5091C09: ber_memfree_x (memory.c:152) ==11646== by 0x465624: ch_free (ch_malloc.c:139) ==11646== by 0x52E493: bdb_cache_entryinfo_free (cache.c:104) ==11646== by 0x530E5A: hdb_cache_delete_cleanup (cache.c:1419) ==11646== by 0x5369A9: hdb_delete (delete.c:575) ==11646== by 0x462FDD: fe_op_delete (delete.c:174) ==11646== by 0x462C6C: do_delete (delete.c:95) ==11646== by 0x4410E6: connection_operation (connection.c:1123) ==11646== by 0x4E3C51C: ldap_int_thread_pool_wrapper (tpool.c:685) ==11646== by 0x6EB206F: start_thread (in /lib64/libpthread-2.9.so) ==11646== by 0x719A10C: clone (in /lib64/libc-2.9.so)

Further investigation with gdb showed that bdb->bi_cache.c_lrutail points to free'd memory after the last object is removed from the database, which results in the crash when trying to access that memory during the add operation. I am currently working on a fix. Will submit it to HEAD later today.