[Issue 9966] New: slapd crashes in pcache consistency_check()

Sat, 24 Dec 2022 09:54:16 -0800 

https://bugs.openldap.org/show_bug.cgi?id=9966

          Issue ID: 9966
           Summary: slapd crashes in pcache consistency_check()
           Product: OpenLDAP
           Version: 2.5.13
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: overlays
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

The pcache overlay (when run with multiple templates) crashes in the
consistency checker. Cause appears to be that "expires" is not reset for the
next iteration of the template loop. I can provide more details if necessary.
Server does not crash with this in place:

diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
index 423c19641e72..7b9e2061f927 100644
--- a/servers/slapd/overlays/pcache.c
+++ b/servers/slapd/overlays/pcache.c
@@ -3628,6 +3628,8 @@ consistency_check(
                        if ( rem ) free_query(query);
                }

+               expires = NULL;
+
                /* handle refreshes that we skipped earlier */
                if ( templ->ttr ) {
                        ldap_pvt_thread_rdwr_rlock(&templ->t_rwlock);

valgrind says:
==217138== Thread 13:
==217138== Invalid read of size 8
==217138==    at 0x63949EE: consistency_check (pcache.c:3604)
==217138==    by 0x48A5DB9: ldap_int_thread_pool_wrapper (tpool.c:1053)
==217138==    by 0x5016801: start_thread (in /usr/lib64/libc.so.6)
==217138==    by 0x4FB6313: clone (in /usr/lib64/libc.so.6)
==217138==  Address 0x6d14c60 is 160 bytes inside a block of size 240 free'd
==217138==    at 0x48470E4: free (vg_replace_malloc.c:872)
==217138==    by 0x63949DE: UnknownInlinedFun (pcache.c:1548)
==217138==    by 0x63949DE: consistency_check (pcache.c:3628)
==217138==    by 0x48A5DB9: ldap_int_thread_pool_wrapper (tpool.c:1053)
==217138==    by 0x5016801: start_thread (in /usr/lib64/libc.so.6)
==217138==    by 0x4FB6313: clone (in /usr/lib64/libc.so.6)
==217138==  Block was alloc'd at
==217138==    at 0x484486F: malloc (vg_replace_malloc.c:381)
==217138==    by 0x48C8804: ber_memalloc_x (memory.c:228)
==217138==    by 0x4598C2: ch_malloc (in /usr/local/libexec/slapd)
==217138==    by 0x6391276: add_query (pcache.c:1562)
==217138==    by 0x639ADEF: pcache_op_cleanup (pcache.c:2376)
==217138==    by 0x52498D: ??? (in /usr/local/libexec/slapd)
==217138==    by 0x452C32: ??? (in /usr/local/libexec/slapd)
==217138==    by 0x4536BC: slap_send_ldap_result (in /usr/local/libexec/slapd)
==217138==    by 0x4CF9EA: ldap_back_search (in /usr/local/libexec/slapd)
==217138==    by 0x4BD022: overlay_op_walk (in /usr/local/libexec/slapd)
==217138==    by 0x4BD1A0: ??? (in /usr/local/libexec/slapd)
==217138==    by 0x4415D8: fe_op_search (in /usr/local/libexec/slapd)
==217138== 

Happy Holidays!

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to