(ITS#7641) slapd crashes in slapd_free_controls when syncrepl enabled and plugins in use - openldap-bugs

18 Jul 2013

Full_Name: Timothy Pearson
Version: 2.4.35
OS: Debian Wheezy
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.156.2.26)
slapd sporadically crashes in slapd_free_controls when syncrepl enabled and
plugins are in use.  The crash is caused by an invalid free in the slapi
overlay; it only occurs on the provider in a syncrepl setup.  This is the
backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe1536700 (LWP 24523)]
*__GI___libc_free (mem=0x18) at malloc.c:3709
3709    malloc.c: No such file or directory.
(gdb)
(gdb) bt
#0  *__GI___libc_free (mem=0x18) at malloc.c:3709
#1  0x00007ffff7974d01 in ber_memfree_x (p=0x18, ctx=0x0) at
../../../../libraries/liblber/memory.c:152
#2  0x00005555555c3003 in slap_free_ctrls (op=0x555555ef0c60,
ctrls=0x555555ef2570) at ../../../../servers/slapd/controls.c:569
#3  0x00005555555a41e5 in slap_send_search_entry (op=0x555555ef0c60,
rs=0x7fffe1535a40) at ../../../../servers/slapd/result.c:1476
#4  0x00007ffff1e4c465 in hdb_search (op=0x555555ef0c60, rs=0x7fffe1535a40) at
search.c:1014
#5  0x00005555555ff1c6 in overlay_op_walk (op=0x555555ef0c60, rs=0x7fffe1535a40,
which=op_search, oi=0x5555559e5e70, on=0x0) at
../../../../servers/slapd/backover.c:671
#6  0x00007ffff63bfe5a in slapi_op_func (op=0x555555ef0c60, rs=0x7fffe1535a40)
at ../../../../../servers/slapd/slapi/slapi_overlay.c:650
#7  0x00005555555ff18a in overlay_op_walk (op=op@entry=0x555555ef0c60,
rs=0x7fffe1535a40, which=op_search, oi=0x5555559e5e70, on=0x5555559e6a60) at
../../../../servers/slapd/backover.c:661
#8  0x00005555555ff31b in over_op_func (op=0x555555ef0c60, rs=<optimized out>,
which=<optimized out>) at ../../../../servers/slapd/backover.c:723
#9  0x0000555555594641 in fe_op_search (op=0x555555ef0c60, rs=0x7fffe1535a40) at
../../../../servers/slapd/search.c:402
#10 0x0000555555593f06 in do_search (op=0x555555ef0c60, rs=0x7fffe1535a40) at
../../../../servers/slapd/search.c:247
#11 0x0000555555591961 in connection_operation (ctx=ctx@entry=0x7fffe1535bd0,
arg_v=arg_v@entry=0x555555ef0c60) at
../../../../servers/slapd/connection.c:1150
#12 0x0000555555591c84 in connection_read_thread (ctx=0x7fffe1535bd0,
argv=<optimized out>) at ../../../../servers/slapd/connection.c:1286
#13 0x00007ffff7b8dfbb in ldap_int_thread_pool_wrapper (xpool=0x55555590a2e0) at
../../../../libraries/libldap_r/tpool.c:688
#14 0x00007ffff5d79b50 in start_thread (arg=<optimized out>) at
pthread_create.c:304
#15 0x00007ffff5ac3a7d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#16 0x0000000000000000 in ?? ()
(gdb)
This patch fixes the problem:

--- servers/slapd/slapi/slapi_overlay.c
+++ servers/slapd/slapi/slapi_overlay.c
@@ -454,11 +454,11 @@
    n_slapi_ctrls = slapi_int_count_controls( slapi_ctrls );
    n_rs_ctrls = slapi_int_count_controls( rs->sr_ctrls );
-	slapi_pblock_set( pb, SLAPI_X_OLD_RESCONTROLS, (void *)rs->sr_ctrls );
-
    if ( n_slapi_ctrls == 0 )
    	return LDAP_SUCCESS; /* no SLAPI controls */
+	slapi_pblock_set( pb, SLAPI_X_OLD_RESCONTROLS, (void *)rs->sr_ctrls );
+
    ctrls = (LDAPControl **) op->o_tmpalloc(
    	( n_slapi_ctrls + n_rs_ctrls + 1 ) * sizeof(LDAPControl *),
    	op->o_tmpmemctx );

    