(ITS#6657) back-sql segfault in backsql_search - openldap-bugs

22 Sep 2010


      Full_Name: David Schmitt
Version: 2.4.23-5
OS: Debian squeeze
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.170.188.2)
I'm seeing reproducible but inconsistent segfaults from within back-sql:
#0  slap_sl_free (ptr=0x9cc440, ctx=0x98e270) at
/home/devel/openldap/trunk/servers/slapd/sl_malloc.c:490
        p = 0xffffffee009bc130
        tmpp = <value optimized out>
#1  0x00007ffff35f7877 in backsql_free_entryID (id=0x7ffff139d678, freeit=0,
ctx=0x98e270) at /home/devel/openldap/trunk/servers/slapd/back-sql/entry-id.c:84
        next = 0x0
        __PRETTY_FUNCTION__ = "backsql_free_entryID"
#2  0x00007ffff35f0ad8 in backsql_search (op=0x98b500, rs=0x7ffff139ea40) at
/home/devel/openldap/trunk/servers/slapd/back-sql/search.c:2552
        dbh = 0x965590
        sres = <value optimized out>
        user_entry = {e_id = 0, e_name = {bv_len = 0, bv_val = 0x0}, e_nname =
{bv_len = 0, bv_val = 0x0}, e_attrs = 0x0, e_ocflags = 0, e_bv = {bv_len = 0,
bv_val = 0x0},
          e_private = 0x0}
        base_entry = {e_id = 0, e_name = {bv_len = 0, bv_val = 0x0}, e_nname =
{bv_len = 0, bv_val = 0x0}, e_attrs = 0x0, e_ocflags = 0, e_bv = {bv_len = 0,
bv_val = 0x0},
          e_private = 0x0}
        manageDSAit = 0
        stoptime = 1285164120
        bsi = {bsi_op = 0x98b500, bsi_rs = 0x7ffff139ea40, bsi_flags = 1,
bsi_base_ndn = 0x98b538, bsi_use_subtree_shortcut = 0, bsi_base_id = {eid_id =
1, eid_keyval = 1,
            eid_oc_id = 1, eid_oc = 0x98bb50, eid_dn = {bv_len = 0, bv_val =
0x0}, eid_ndn = {bv_len = 18, bv_val = 0x9cc440 "ou=samba,ou=uni-ak"}, eid_next
= 0x0},
          bsi_scope = 2, bsi_filter = 0x9bbf98, bsi_stoptime = 1285164120,
bsi_id_list = 0x0, bsi_id_listtail = 0x7ffff139d6d8, bsi_c_eid =
0x7ffff139d678,
          bsi_n_candidates = -2, bsi_status = 0, bsi_oc = 0x98b3f0, bsi_sel =
{bb_val = {bv_len = 0, bv_val = 0x0}, bb_len = 0}, bsi_from = {bb_val = {bv_len
= 0,
              bv_val = 0x0}, bb_len = 0}, bsi_join_where = {bb_val = {bv_len =
0, bv_val = 0x0}, bb_len = 0}, bsi_flt_where = {bb_val = {bv_len = 0, bv_val =
0x0},
            bb_len = 0}, bsi_filter_oc = 0x0, bsi_dbh = 0x965590, bsi_attrs =
0x0, bsi_e = 0x0}
        eid = <value optimized out>
        lastid = 0
#3  0x00000000004355c9 in fe_op_search (op=0x98b500, rs=0x7ffff139ea40) at
/home/devel/openldap/trunk/servers/slapd/search.c:366
        bd = 0x7347e0
#4  0x0000000000435ddc in do_search (op=0x98b500, rs=0x7ffff139ea40) at
/home/devel/openldap/trunk/servers/slapd/search.c:217
        base = {bv_len = 18, bv_val = 0x9ac727 "ou=samba,ou=uni-ak"}
        siz = 0
        i = 140737240492960
#5  0x0000000000433479 in connection_operation (ctx=0x7ffff139eba0, arg_v=<value
optimized out>) at /home/devel/openldap/trunk/servers/slapd/connection.c:1109
        rc = <value optimized out>
        cancel = <value optimized out>
        op = 0x98b500
        rs = {sr_type = REP_RESULT, sr_tag = 101, sr_msgid = 2, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un =
{sru_search = {
              r_entry = 0x0, r_attr_flags = 0, r_operational_attrs = 0x0,
r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0},
sru_extended = {
              r_rspoid = 0x0, r_rspdata = 0x0}}, sr_flags = 0}
        tag = 99
        opidx = SLAP_OP_SEARCH
        conn = 0x7ffff7f3b690
        memctx = 0x98e270
        memctx_null = 0x0
        __PRETTY_FUNCTION__ = "connection_operation"
#6  0x0000000000433c65 in connection_read_thread (ctx=<value optimized out>,
argv=<value optimized out>) at
/home/devel/openldap/trunk/servers/slapd/connection.c:1245
        s = 14
I've configured back-sql with suffix 'ou=uni-ak' and am searching for
'(&(cn=p0002001)(objectclass=sambasamaccount))' (which doesn't return results)
within 
 'ou=samba,ou=uni-ak', which exists and has ~10k items in the whole tree.
The segfault happens on the second such ldapsearch in the slapd's lifetime.
Using a filter that returns multiple entries
'(&(cn=x0004291)(objectclass=sambasamaccount))', back-sql segfaults already
within the first query:
#0  slap_sl_free (ptr=0x9dd7f8, ctx=0x98e270) at
/home/devel/openldap/trunk/servers/slapd/sl_malloc.c:490
        p = 0xffffffc9009cc582
        tmpp = <value optimized out>
#1  0x00007ffff35f7896 in backsql_free_entryID (id=0x9dd7f8, freeit=1,
ctx=0x98e270) at /home/devel/openldap/trunk/servers/slapd/back-sql/entry-id.c:101
        next = 0x0
        __PRETTY_FUNCTION__ = "backsql_free_entryID"
#2  0x00007ffff35f0ee7 in backsql_search (op=0x98b500, rs=0x7ffff139ea40) at
/home/devel/openldap/trunk/servers/slapd/back-sql/search.c:2223
        dbh = 0x965590
        sres = <value optimized out>
        user_entry = {e_id = 0, e_name = {bv_len = 0, bv_val = 0x0}, e_nname =
{bv_len = 0, bv_val = 0x0}, e_attrs = 0x0, e_ocflags = 0, e_bv = {bv_len = 0,
bv_val = 0x0},
          e_private = 0x0}
        base_entry = {e_id = 1, e_name = {bv_len = 18, bv_val = 0x9cc468
"ou=samba,ou=uni-ak"}, e_nname = {bv_len = 18, bv_val = 0x9cc490
"ou=samba,ou=uni-ak"},
          e_attrs = 0x82e7b8, e_ocflags = 256, e_bv = {bv_len = 0, bv_val =
0x0}, e_private = 0x0}
        manageDSAit = 0
        stoptime = 1285164373
        bsi = {bsi_op = 0x98b500, bsi_rs = 0x7ffff139ea40, bsi_flags = 1,
bsi_base_ndn = 0x98b538, bsi_use_subtree_shortcut = 0, bsi_base_id = {eid_id =
1, eid_keyval = 1,
            eid_oc_id = 1, eid_oc = 0x98bb50, eid_dn = {bv_len = 18, bv_val =
0x9cc3d8 "ou=samba,ou=uni-ak"}, eid_ndn = {bv_len = 18, bv_val = 0x9cc440
"ou=samba,ou=uni-ak"},
            eid_next = 0x0}, bsi_scope = 2, bsi_filter = 0x9bbf98, bsi_stoptime
= 1285164373, bsi_id_list = 0x9dcc18, bsi_id_listtail = 0x9dd838, bsi_c_eid =
0x9dd7f8,
          bsi_n_candidates = -5, bsi_status = 0, bsi_oc = 0x993690, bsi_sel =
{bb_val = {bv_len = 0, bv_val = 0x0}, bb_len = 0}, bsi_from = {bb_val = {bv_len
= 0,
              bv_val = 0x0}, bb_len = 0}, bsi_join_where = {bb_val = {bv_len =
0, bv_val = 0x0}, bb_len = 0}, bsi_flt_where = {bb_val = {bv_len = 0, bv_val =
0x0},
            bb_len = 0}, bsi_filter_oc = 0x0, bsi_dbh = 0x965590, bsi_attrs =
0x0, bsi_e = 0x7ffff139d890}
        eid = 0x9dd7f8
        lastid = 0
#3  0x00000000004355c9 in fe_op_search (op=0x98b500, rs=0x7ffff139ea40) at
/home/devel/openldap/trunk/servers/slapd/search.c:366
        bd = 0x7347e0
#4  0x0000000000435ddc in do_search (op=0x98b500, rs=0x7ffff139ea40) at
/home/devel/openldap/trunk/servers/slapd/search.c:217
        base = {bv_len = 18, bv_val = 0x9ac727 "ou=samba,ou=uni-ak"}
        siz = 0
        i = 140737240492960
#5  0x0000000000433479 in connection_operation (ctx=0x7ffff139eba0, arg_v=<value
optimized out>) at /home/devel/openldap/trunk/servers/slapd/connection.c:1109
        rc = <value optimized out>
        cancel = <value optimized out>
        op = 0x98b500
        rs = {sr_type = REP_SEARCH, sr_tag = 0, sr_msgid = 0, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un =
{sru_search = {r_entry = 0x0,
              r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0,
r_nentries = 3, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0}, sru_extended =
{r_rspoid = 0x0,
              r_rspdata = 0x0}}, sr_flags = 1}
        tag = 99
        opidx = SLAP_OP_SEARCH
        conn = 0x7ffff7f3b690
        memctx = 0x98e270
        memctx_null = 0x0
        __PRETTY_FUNCTION__ = "connection_operation"
#6  0x0000000000433c65 in connection_read_thread (ctx=<value optimized out>,
argv=<value optimized out>) at
/home/devel/openldap/trunk/servers/slapd/connection.c:1245
        s = 14
A third query for a different mapped object class doesn't lead to a segfault at
all (within the 15 tries I tested).
I would not exclude an error in the schema mapping, but I'd prefer an error
message instead of a segfault ;-)
Thanks for your time and work,
David