https://bugs.openldap.org/show_bug.cgi?id=9553
Issue ID: 9553 Summary: Segfault in mdb_txn_abort handler caused by uninitialized pointer in mdb_reader_flush Product: OpenLDAP Version: 2.4.58 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs@openldap.org Reporter: jrddunbr@amazon.com Target Milestone: ---
This is for OpenLDAP 2.4.58, git commit 350ede08564ab14a45884c6f7c32419d98a75468 best I can tell.
I have located an issue in mdb_reader_flush where it appears that an uninitialized pointer causes segfaults when threading is disabled.
In the following function: https://git.openldap.org/openldap/openldap/-/blob/350ede08564ab14a45884c6f7c...
``` void mdb_reader_flush( MDB_env *env ) { void *data; void *ctx = ldap_pvt_thread_pool_context(); if ( !ldap_pvt_thread_pool_getkey( ctx, env, &data, NULL ) ) { ldap_pvt_thread_pool_setkey( ctx, env, NULL, 0, NULL, NULL ); mdb_reader_free( env, data ); } } ```
the `void *data;` gets random values and is not initialized to NULL; when there is no thread pool the functions after it return without doing anything, and that pointer is passed down into mdb_reader_free, which passes down to mdb_txn_abort, where it is (recursively) de-referenced until the pointer is NULL. This causes a segfault, as that condition is not reached before it tries reading invalid memory addresses.
The fix appears to be to make the following modification:
Change `void *data;` to `void *data = NULL;`.
I don't actually know much about the internals of this application, so I wanted to make sure that this is the correct solution before making a pull request for it.
Apologies if my C terminology is not up to snuff; this is not my forte.
https://bugs.openldap.org/show_bug.cgi?id=9553
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |WONTFIX
--- Comment #1 from Howard Chu hyc@openldap.org --- Thanks for the report, but building slapd without threading enabled is a deprecated feature (and in fact removed from OpenLDAP 2.5). All modern platforms support threading, so there is no valid reason to build this way.
https://bugs.openldap.org/show_bug.cgi?id=9553
jrddunbr-aws jrddunbr@amazon.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|WONTFIX |FIXED
--- Comment #2 from jrddunbr-aws jrddunbr@amazon.com --- Good to know.
Is that documented somewhere?
Why does the flag not warn on startup?
Thanks!
https://bugs.openldap.org/show_bug.cgi?id=9553
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |WONTFIX Status|RESOLVED |VERIFIED