(ITS#6632) Core dump in test030 when using back-ldap - openldap-bugs

28 Aug 2010


      Full_Name: Pierangelo Masarati
Version: HEAD/re24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (129.72.166.16)
Submitted by: ando
When compiled with -DSLAP_NO_SL_MALLOC=1 test030 cores when performing passwd
extop with back-ldap; a gdb stack backtrace is provided below.
(gdb) bt
#0  0x00115402 in __kernel_vsyscall ()
#1  0x001c4d20 in raise () from /lib/libc.so.6
#2  0x001c6631 in abort () from /lib/libc.so.6
#3  0x001fce6b in __libc_message () from /lib/libc.so.6
#4  0x00204b16 in _int_free () from /lib/libc.so.6
#5  0x00208070 in free () from /lib/libc.so.6
#6  0x0826ae7a in ber_memfree_x (p=0x8b84fe0, ctx=0x0) at
../../../ldap-src/libraries/liblber/memory.c:152
#7  0x080f537c in slap_sl_free (ptr=0x8b84fe0, ctx=0x8b15138) at
../../../ldap-src/servers/slapd/sl_malloc.c:481
#8  0x080c8c58 in do_extended (op=0x8b2cde0, rs=0xb79820e4) at
../../../ldap-src/servers/slapd/extended.c:184
#9  0x0808acba in connection_operation (ctx=0xb79821d0, arg_v=0x8b2cde0) at
../../../ldap-src/servers/slapd/connection.c:1109
#10 0x0808b1fa in connection_read_thread (ctx=0xb79821d0, argv=0xd) at
../../../ldap-src/servers/slapd/connection.c:1245
#11 0x08234cc9 in ldap_int_thread_pool_wrapper (xpool=0x8a53b28) at
../../../ldap-src/libraries/libldap_r/tpool.c:685
#12 0x0011b46b in start_thread () from /lib/libpthread.so.0
#13 0x0026cdbe in clone () from /lib/libc.so.6
The issue, according to valgrind, consists in a double-free, which does not
surface when dealt with by the slab.
conn=1021 fd=17 ACCEPT from IP=127.0.0.1:45744 (IP=127.0.0.1:9011)
conn=1021 op=0 BIND dn="cn=Manager,o=Example,c=US" method=128
conn=1022 fd=22 ACCEPT from IP=127.0.0.1:45745 (IP=127.0.0.1:9011)
conn=1022 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
conn=1022 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
conn=1022 op=0 RESULT tag=97 err=0 text=
conn=1021 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
conn=1021 op=0 RESULT tag=97 err=0 text=
conn=1021 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1021 op=1 PASSMOD id="cn=Added User,ou=Alumni
Association,ou=People,o=Example,c=US" new
conn=1022 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1022 op=1 PASSMOD id="cn=Added User,ou=Alumni
Association,ou=People,dc=example,dc=com" new
conn=1021 op=1 RESULT oid= err=0 text=
==4946== 
==4946== Thread 7:
==4946== Invalid free() / delete / delete[]
==4946==    at 0x4004FDA: free (vg_replace_malloc.c:233)
==4946==    by 0x826AE79: ber_memfree_x (memory.c:152)
==4946==    by 0x80F537B: slap_sl_free (sl_malloc.c:481)
==4946==    by 0x80C8C57: do_extended (extended.c:184)
==4946==    by 0x808ACB9: connection_operation (connection.c:1109)
==4946==    by 0x808B1F9: connection_read_thread (connection.c:1245)
==4946==    by 0x8234CC8: ldap_int_thread_pool_wrapper (tpool.c:685)
==4946==    by 0xDEB46A: start_thread (in /lib/libpthread-2.5.so)
==4946==    by 0xD42DBD: clone (in /lib/libc-2.5.so)
==4946==  Address 0x45DD018 is 0 bytes inside a block of size 62 free'd
==4946==    at 0x4004FDA: free (vg_replace_malloc.c:233)
==4946==    by 0x826AE79: ber_memfree_x (memory.c:152)
==4946==    by 0x80F537B: slap_sl_free (sl_malloc.c:481)
==4946==    by 0x80CA323: passwd_extop (passwd.c:321)
==4946==    by 0x80C8E6E: fe_extended (extended.c:222)
==4946==    by 0x80C8C05: do_extended (extended.c:177)
==4946==    by 0x808ACB9: connection_operation (connection.c:1109)
==4946==    by 0x808B1F9: connection_read_thread (connection.c:1245)
==4946==    by 0x8234CC8: ldap_int_thread_pool_wrapper (tpool.c:685)
==4946==    by 0xDEB46A: start_thread (in /lib/libpthread-2.5.so)
==4946==    by 0xD42DBD: clone (in /lib/libc-2.5.so)
The issue *might* be related to slapo-rwm playing with the rewriting of the
request dn/ndn, but it does not surface when the same test is performed using
back-relay, which also uses slapo-rwm.
p.