Full_Name: Hallvard B Furuseth
Version: 2.4.21++, master
Submission from: (NULL) (184.108.40.206)
Submitted by: hallvard
In syncrepl_config(), ldap_pvt_runqueue_remove() frees 're',
then the retract statement reads 're->routine':
ldap_pvt_runqueue_remove(&slapd_rq, re );
if ( ldap_pvt_thread_pool_retract(&connection_pool,
re->routine, re )> 0 )
Formally I think the pointer 're' itself is invalid after freeing it,
so the ISO C-clean fix would involve calling retract() first. If
that's wrong: I assume the thread pool is paused at this point, so
the task can not be started (and use re) before it can be retracted,
and we can just just read re->routine before freeing re.
Makes sense. Fixed in master.
Found by Valgrind in test063-delta-multimaster.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/