Full_Name: Kevin Version: 2.40 OS: Debian 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (218.188.214.98)
This bug was reported but still havent been fixed in recent version. See (ITS#8368). Link:
http://www.openldap.org/lists/openldap-bugs/201602/msg00005.html
When one of my outlook client sends an email with more than 300 recipients, the slapd server crashes.
The problem is caused by double free_sort_op function called in sssvlv.c. In my scenarios, the sssvlv_op_search function will call free_sort_op at line 955. However, the so pointer has already freed by the preivous free_sort_op call at send_result function at line 706. I guess there is a chance the so pointer can be occupied at sssvlv_op_search before the send_result get completed.
Here is my gdb result:
I set two break points. One is free_sort_op and the other one is send_result. It is clearly show that the free_sort_op was called twice . One is from send_result and the other is sssvlv_op_search.
Breakpoint 2, send_result (op=op@entry=0x7fffdc0028e0, rs=rs@entry=0x7fffea8baae0, so=so@entry=0x7fffdc002670) at sssvlv.c:682
58a52415 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at sssvlv.c:396 396 in sssvlv.c
Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at sssvlv.c:396 396 in sssvlv.c
Program received signal SIGABRT, Aborted. 0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) backtrace #0 0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff6629448 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007ffff66661b4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #3 0x00007ffff666b98e in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #4 0x00007ffff666c696 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #5 0000007ffff4381abb in free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at sssvlv.c:406 #6 0x00007ffff43825ad in sssvlv_op_search (op=0x7fffd8000ae0, rs=0x7fffe3ffeae0) at sssvlv.c:954 #7 0x00000000004a324a in overlay_op_walk () #8 0x00000000004a33b5 in ?? () #9 0x000000000043fa01 in fe_op_search () #10 0x000000000043f39c in do_search () #11 0x000000000043d1c5 in ?? ()
#12 0x000000000043d4ae in ?? () #13 0x0000000000527c18 in ?? () #14 0x00007ffff69a6064 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #15 0x00007ffff66db62d in clone () from /lib/x86_64-linux-gnu/libc.so.6
-
kevinanties@gmail.com