--f403045d9e2209c2250548f17338 Content-Type: text/plain; charset=UTF-8
I have found the cause of the problem. This bug is hard to reproduce unless we make some change to the source codes. (e.g put sleep(1) to send_result function of sssvlv.c)
illustrate steps:
1. A client sends two requests with "server side sort" control flag to search some entries.
2. The server dispatches two threads (A and B) to handle.
3. Thread A allocate the "so" struct and puts the "so" pointer to the static array, sort_conns.
4. Thread A can not find any entry. free_sort_op is going to call at the end of send_result function.
5. At the same time, before free_sort_op is called, Thread B acquires the "so" pointer in sssvlv_op_search. It is because the ps_cookie is always zero for new initialized "so" .
6. free_sort_op is called at Thread A.
7. For thread B, due to op->o_conn->c_pagedresults_state.ps_cookie != ps->ps_cookie, ok become 0.
8. free_sort_op is called at Thread B. Double free error occurs. Server dead.
This bug will cause all slpad server to dead if the sssvlv overlay is enabled.
I have fixed this problem by adding one boolean flag to sort_op struct to indicate whether this is occupied or not .
What is the best way to submit my patch?
On Sat, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, February 16, 2017 5:06 AM +0000 kevinanties@gmail.com wrote:
Full_Name: Kevin
Version: 2.40 OS: Debian 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (218.188.214.98)
Please do not file new ITSes for existing issue. Please follow up to the original ITS with your additional information.
Thanks.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--f403045d9e2209c2250548f17338 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><br></div><div>I have found the cause of the problem.= This bug is hard to reproduce unless we make some change to the source cod= es. (e.g=C2=A0 put sleep(1) to send_result function of sssvlv.c)<br><br>ill= ustrate steps:<br></div><div><br></div><div>1. A client sends two requests = with "server side sort" control flag to search some entries. <br>= <br></div><div>2. The server dispatches two threads (A and B) to handle.<br=
<br></div><div>3. Thread A allocate the "so" struct and puts the=
"so" pointer to the static array, sort_conns.<br></div><div><br>= </div><div>4. Thread A can not find any entry.=C2=A0 <span class=3D"gmail-p= l-en">free_sort_op is going to call at the end of send_result function.<br>= <br></span></div><div><span class=3D"gmail-pl-en">5. At the same time, befo= re </span><span class=3D"gmail-pl-en">free_sort_op is called, Thread B acqu= ires the "so" pointer in sssvlv_op_search. It is because the ps_c= ookie is always zero for new initialized "so" .<br></span></div><= div><br></div><div>6. <span class=3D"gmail-pl-en">free_sort_op is called a= t </span>Thread A.<br><br></div><div>7. For thread B, due to op->o_conn-= >c_pagedresults_state.<span class=3D"gmail-pl-smi">ps_cookie !=3D ps->= ;ps_cookie, ok become 0.<br><br>8. </span><span class=3D"gmail-pl-en">free_= sort_op is called at </span>Thread B. Double free error occurs. Server dead= .<br><br></div><div>This bug will cause all slpad server to dead if the sss= vlv overlay is enabled.<br><br></div><div>I have fixed this problem by addi= ng one boolean flag to sort_op struct to indicate whether this is occupied = or not . <br><br>What is the best way to submit my patch?<br></div><div><br=
</div><div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sa=
t, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <span dir=3D"ltr"><<a hr= ef=3D"mailto:quanah@symas.com" target=3D"_blank">quanah@symas.com</a>></= span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0= px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">--On Thur= sday, February 16, 2017 5:06 AM +0000 <a href=3D"mailto:kevinanties@gmail.c= om" target=3D"_blank">kevinanties@gmail.com</a> wrote:<br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"> Full_Name: Kevin<br> Version: 2.40<br> OS: Debian 7<br> URL: <a href=3D"ftp://ftp.openldap.org/incoming/" rel=3D"noreferrer" target= =3D"_blank">ftp://ftp.openldap.org/incomin<wbr>g/</a><br> Submission from: (NULL) (218.188.214.98)<br> </blockquote> <br> Please do not file new ITSes for existing issue.=C2=A0 Please follow up to = the original ITS with your additional information.<br> <br> Thanks.<br> <br> --Quanah<br> <br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h= ttp://www.symas.com</a>><br> <br> </blockquote></div><br></div></div></div>
--f403045d9e2209c2250548f17338--
-
kevinanties@gmail.com