https://bugs.openldap.org/show_bug.cgi?id=9608

Issue ID: 9608 Summary: slapo-syncprov: Replace op on olcSpSessionlog segfault Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---

With the following Syncprov overlay configuration:

dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config objectClass: olcSyncProvConfig objectClass: olcOverlayConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10

You can crash slapd with the following modification as the cn=config rootdn:

dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config changetype: modify replace: olcSpSessionlog olcSpSessionlog: 10000

GDB backtrace shows:

#0 0x00007f7b43f8b954 in sp_cf_gen (c=0x7f7b0761b450) at syncprov.c:3164 on = 0x55d6fb385b90 si = 0x55d6fb35c700 rc = 0 #1 0x000055d6fa4da4ec in config_modify_internal (ca=0x7f7b0761b450, rs=<optimized out>, op=<optimized out>, ce=<optimized out>) at bconfig.c:5773 vals = 0x7f7af8002680 nvals = 0x0 d = <optimized out> e = 0x55d6fb335a38 save_attrs = 0x55d6fb349498 a = 0x55d6fb350180 i = <optimized out> dels = 0x0 rc = <optimized out> oc_at = <optimized out> ct = 0x7f7b441970e0 <spcfg+64> nocs = 3 ptr = <optimized out> s = 0x0 deltail = 0x0 ml = 0x7f7af8102cd0 #2 config_back_modify (op=<optimized out>, rs=<optimized out>) at bconfig.c:5943 cfb = <optimized out> ce = <optimized out> last = 0x55d6fb387f30 ml = <optimized out> ca = {argc = 1, argv = 0x7f7af8103610, argv_size = 513, line = 0x0, tline = 0x0, fname = 0x55d6fa5f5a91 "slapd", lineno = 0, log = "olcSpSessionlog: value #0", '\000' <repeats 4098 times>, reply = {err = 0, msg = "modify/delete: olcSpSessionlog: no such attribute", '\000' <repeats 206 times>}, depth = 0, valx = -1, values = {v_int = 10000, v_uint = 10000, v_long = 10000, v_ulong = 10000, v_ber_t = 10000, v_string = 0x2710 <Address 0x2710 out of bounds>, v_bv = {bv_len = 10000, bv_val = 0x0}, v_dn = {vdn_dn = { bv_len = 10000, bv_val = 0x0}, vdn_ndn = {bv_len = 0, bv_val = 0x0}}, v_ad = 0x2710}, rvalue_vals = 0x0, rvalue_nvals = 0x0, op = 1, type = 2, ca_op = 0x7f7af80028f0, be = 0x55d6fb35c880, bi = 0x55d6fb385b90, ca_entry = 0x55d6fb335a38, ca_private = 0x0, cleanup = 0x0, table = Cft_Overlay} rdn = {bv_len = 10, bv_val = 0x55d6fb385d70 "olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config"} ptr = <optimized out> rad = 0x55d6fb31a570 do_pause = <optimized out> #3 0x000055d6fa508b89 in fe_op_modify (op=0x7f7af80028f0, rs=0x7f7b0761d860) at modify.c:303 update = <optimized out> repl_user = <optimized out> op_be = <optimized out> bd = 0x55d6fa87da80 <slap_frontendDB> textbuf = "\006\000\000\000y\000\000\000\001\000\000\000\300\000\000\000\000\000\000\000\020\001\000\000\000\000\000\000\000\000\000\000P\215.\373\326U\000\000 \307a\a{\177\000\000\006\000\000\000\000\000\000\000u\335P\372\326U\000\000`\330a\a{\177\000\000\344l\207\372\326U\000\000\005\000\000\000\000\000\000\000 \036\000\370z\177\000\000\017\000\000\000\000\000\000\000B[\233G{\177\000\000\064\000\000\000\000\000\000\000\000_Z\004\321WbM\300\307a\a{\177", '\000' <repeats 18 times>, "\320,\020\370z\177\000\000p]5\373\326U", '\000' <repeats 18 times>, "J\227P\372\326U\000\000\200\n\000\370z\177\000\000"... #4 0x000055d6fa50ab7d in do_modify (op=0x7f7af80028f0, rs=0x7f7b0761d860) at modify.c:177 dn = {bv_len = 51, bv_val = 0x7f7af8002867 "olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config"} textbuf = "olcSpSessionlog", '\000' <repeats 240 times> tmp = 0x0 #5 0x000055d6fa4f068c in connection_operation (ctx=ctx@entry=0x7f7b0761dad0, arg_v=arg_v@entry=0x7f7af80028f0) at connection.c:1182 rc = 80 cancel = <optimized out> op = 0x7f7af80028f0 rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0, sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = {sru_search = { r_entry = 0x0, r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0}, sru_extended = { r_rspoid = 0x0, r_rspdata = 0x0}}, sr_flags = 0} tag = 102 opidx = SLAP_OP_MODIFY conn = 0x55d6fb522120 memctx = 0x7f7af8000a80 memctx_null = 0x0 memsiz = 1048576 __PRETTY_FUNCTION__ = "connection_operation" #6 0x000055d6fa4f09fb in connection_read_thread (ctx=0x7f7b0761dad0, argv=0xb) at connection.c:1318 rc = <optimized out> cri = {op = 0x7f7af80028f0, func = 0x0, arg = 0x0, ctx = <optimized out>, nullop = <optimized out>} s = <optimized out> #7 0x00007f7b4937527a in ldap_int_thread_pool_wrapper (xpool=0x55d6fb3101d0) at tpool.c:696 pool = 0x55d6fb3101d0 task = 0x7f7b00000b40 work_list = <optimized out> ctx = {ltu_id = 140166381561600, ltu_key = {{ltk_key = 0x55d6fa4ee6a0 <conn_counter_init>, ltk_data = 0x7f7af8002710, ltk_free = 0x55d6fa4ee780 <conn_counter_destroy>}, {ltk_key = 0x55d6fa549200 <slap_sl_mem_init>, ltk_data = 0x7f7af8000a80, ltk_free = 0x55d6fa5490c0 <slap_sl_mem_destroy>}, {ltk_key = 0x55d6fa504fd0 <slap_op_free>, ltk_data = 0x0, ltk_free = 0x55d6fa504f30 <slap_op_q_destroy>}, { ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0} <repeats 26 times>, {ltk_key = 0x0, ltk_data = 0x7f7b484ffd61 <_L_unlock_3056+19>, ltk_free = 0x0}, { ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0}}} kctx = <optimized out> keyslot = <optimized out> hash = <optimized out> __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper" #8 0x00007f7b484feea5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #9 0x00007f7b479bb9fd in clone () from /lib64/libc.so.6 No symbol table info available.