Hello Howard,
On Thu, Jul 06, 2017 at 08:55:01PM +0100, Howard Chu wrote:
leitao(a)debian.org wrote:
> Full_Name: Breno Leitao
> Version: upstream
> OS: Debian
> URL:
ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (32.104.18.202)
>
>
> Currently, do_random() function in tests/progs/slapd-mtread.c uses a random
> number (upto RAND_MAX) to access an array that is much smaller than RAND_MAX,
> causing a segfault.
>
> This causes a segmentation fault and more details could be found at
>
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866122
>
>
Thanks for the report. I've examined your proposed patch in your debian
bugtracker. It doesn't make much sense though.
The random number is being correctly scaled, line 682:
int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0);
Which means the value of r can only be from 0 to nvalues-1.
And there should be no difference between nvalues and i, since on line 657:
nvalues = ldap_count_entries( ld, res );
Since i is simply iterated through all of the entries in the response, the
two values cannot disagree.
Thanks for looking at it, and your suggestion made me revisit it. let me
share I am finding in the debug. This is the failure frame:
#5 do_read (ld=0x3fff980008e0, entry=0x6e6d756c413d756f <error: Cannot access
memory at address 0x6e6d756c413d756f>,
attrs=0x20020058 <srchattrs>, noattrs=<optimized out>,
maxloop=<optimized out>, maxretries=<optimized out>, force=<optimized
out>,
idx=<optimized out>, chaserefs=<optimized out>, delay=<optimized
out>, nobind=<optimized out>) at ../../../../tests/progs/slapd-mtread.c:791
On this frame, these are the values we have:
i = 0
do_retry = 0
rc = <optimized out>
thrstr = "Read(1): entry=\"0 cnt: 1 (retried 0)
(dc=example,dc=com)\000u=Alumni
Association,ou=People,dc=example,dc=com)\000mple,dc=com)", '\000' <repeats
6641 times>...
e = <optimized out>
attrs = {0x200072a0 "1.1", 0x0}
rc = 0
nvalues = <optimized out>
res = 0x3fffa0001ac0
So, that is what I suppose is happening. On the following loop,
ldap_first_entry() is returning NULL, thus, i = 0;
for ( i = 0, e = ldap_first_entxury( ld, res ); e != NULL; i++, e =
ldap_next_entry( ld, e ) )
{
values[ i ] = ldap_get_dn( ld, e );
}
values[ i ] = NULL;
Thus, value[0] = NULL;
Later, the do_random() code does the following loop and innerloop is 10000.
for ( i = 0; i < innerloop; i++ ) {
int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0);
do_read( ld, values[ r ],
srchattrs, noattrs, nobind, 1, maxretries,
delay, force, chaserefs, idx );
}
Thus, independent of the r value, values[r] will have garbage, right? But I
agree with you, I need to find a better patch that address this e = NULL corner
case.