[Issue 9262] Segmentation Fault on ldap_chain_op during Network Issues

openldap-its Fri, 19 Jun 2020 11:27:17 -0700

https://bugs.openldap.org/show_bug.cgi?id=9262


--- Comment #1 from [email protected] ---
We've encountered a similar segfault.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  ldap_chain_op (op=op@entry=0x7f32a812df70, rs=rs@entry=0x7f32bd14b9a0,
op_f=0x56207ba8aa50 <ldap_back_search>, ref=ref@entry=0x0, 
    depth=depth@entry=0) at chain.c:422
422             for ( ; !BER_BVISNULL( ref ); ref++ ) {

The segfault occurred because ref itself is NULL as you can see, and
BER_BVISNULL checks for ref->by_val:

# include/lber_pvt.h
217 #define BER_BVISNULL(bv)        ((bv)->bv_val == NULL)

Our backtrace contains:

#bt
#0  ldap_chain_op (op=op@entry=0x7fb1f018d820, rs=rs@entry=0x7fb21bffe9a0,
op_f=0x55a4b9a9ca50 <ldap_back_search>, 
    ref=ref@entry=0x0, depth=depth@entry=0) at chain.c:422
#1  0x000055a4b9aec883 in ldap_chain_response (op=0x7fb1f018d820,
rs=0x7fb21bffe9a0) at chain.c:1061
#2  0x000055a4b9a711e8 in over_back_response (op=0x7fb1f018d820,
rs=0x7fb21bffe9a0) at backover.c:237
#3  0x000055a4b9a147f6 in slap_response_play (op=op@entry=0x7fb1f018d820,
rs=rs@entry=0x7fb21bffe9a0) at result.c:508
#4  0x000055a4b9a14d50 in send_ldap_response (op=op@entry=0x7fb1f018d820,
rs=rs@entry=0x7fb21bffe9a0) at result.c:583
#5  0x000055a4b9a158f2 in slap_send_ldap_result (op=0x7fb1f018d820,
rs=0x7fb21bffe9a0) at result.c:861
#6  0x000055a4b9ab3750 in mdb_search (op=0x7fb1f018d820, rs=0x7fb21bffe9a0) at
search.c:552
...

In our case, we got here from ldap_chain_response, which defines ref as:

# servers/slapd/back-ldap/chain.c
 955 static int                                                                 
 956 ldap_chain_response( Operation *op, SlapReply *rs )                        
 957 {           
..
 967         BerVarray       ref;

However, in this case, it's value comes from rs->sr_ref, which does get set to
NULL in various locations in the code in some situations and therefore appears
to be a valid value.

1025         ref = rs->sr_ref;
1026         rs->sr_ref = NULL;
...
1062         case LDAP_REQ_DELETE:
1063                 rc = ldap_chain_op( op, rs, op_delete, ref, 0 );

The assumption of the check at chain.c:422 seems to be that ref itself won't be
NULL. We're working to identify the circumstances that get us to this.

-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9262] Segmentation Fault on ldap_chain_op during Network Issues

Reply via email to