jwm@horde.net wrote:

Full_Name: John Morrissey Version: 2.4.16 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:4978:194:0:21f:5bff:fee9:da92)

Looking back through the call chain, do_syncrepl() sets op->o_tmpmemctx to NULL:

 /* use global malloc for now */
 op->o_tmpmemctx = NULL;
 op->o_tmpmfuncs =&ch_mfuncs;

This should be removed.

so generalizedTimeIndexer()'s call to slap_sl_malloc() falls back to ber_memalloc_x() due to the null ctx. If malloc() fails there, NULL is eventually returned to the original caller of slap_sl_malloc(), likely resulting in a segfault.

And slap_sl_malloc() should be changed in this case to assert() just like ch_malloc() does.

All of the indexing routines seem to ignore slap_sl_malloc()'s return value, opening them up to this problem, too. Someone else will need to step in with a proper fix since I don't know much about slapd internals, but it seems that if these routines are being called with a deliberate null ctx, they should be checking for malloc failure. A cursory glance around back-bdb indicates that indexing function callers already handle failure return codes gracefully.