*ns-slapd* no longer crashes when freeing a search results object
Previously, when Directory Server freed a search results object, there was a brief period of time before the freed information was set to the `pagedresults` handle. If the `paged-results` handle was released due to a timeout in during this period, a double free event occured, causing *ns-slapd* to crash. This problem has been eliminated and double free no longer occurs when freeing search results objects.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-0737.html
Description of problem: customer is experiencing a crash using rhel6.7, more precisely, using release 60 + fix for crash paged searches with this signature: Thread 1 (Thread 0x7f1d8d66a7c0 (LWP 26260)): #0 0x0000003195432625 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = 0 pid = <value optimized out> selftid = 26260 #1 0x0000003195433e05 in abort () at abort.c:92 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7fffd7ed4bd8, sa_sigaction = 0x7fffd7ed4bd8}, sa_mask = {__val = {140736816040896, 140736816053753, 18, 212958803342, 3, 140736816040906, 6, 212958803346, 2, 140736816040894, 2, 212958796611, 1, 212958803342, 3, 140736816040902}}, sa_flags = 10, sa_restorer = 0x3195557592} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x0000003195470537 in __libc_message (do_abort=2, fmt=0x3195558780 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffd7ed5540, reg_save_area = 0x7fffd7ed5450}} ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffd7ed5540, reg_save_area = 0x7fffd7ed5450}} fd = 2 on_2 = <value optimized out> list = <value optimized out> nlist = <value optimized out> cp = <value optimized out> written = <value optimized out> #3 0x0000003195475e66 in malloc_printerr (action=3, str=0x319555686e "free(): invalid pointer", ptr=<value optimized out>) at malloc.c:6336 buf = "00007f1cf000dd10" cp = <value optimized out> #4 0x0000003aa664c416 in slapi_ch_free (ptr=0x7f1cf0003ee0) at ldap/servers/slapd/ch_malloc.c:363 No locals. #5 0x00007f1d886b7ccd in delete_search_result_set (pb=0x0, sr=0x7f1d34022a18) at ldap/servers/slapd/back-ldbm/ldbm_search.c:1897 rc = 0 filt_errs = 0 #6 0x0000003aa668fe30 in pagedresults_cleanup (conn=0x7f1d73104cd0, needlock=0) at ldap/servers/slapd/pagedresults.c:764 rc = <value optimized out> i = <value optimized out> prp = 0x7f1d34022a10 #7 0x0000000000414a00 in connection_cleanup (conn=0x7f1d73104cd0) at ldap/servers/slapd/connection.c:207 No locals. #8 0x0000000000415971 in connection_table_move_connection_out_of_active_list (ct=0x21acfe0, c=0x7f1d73104cd0) at ldap/servers/slapd/conntable.c:322 No locals. #9 0x000000000041849e in setup_pr_read_pds (ports=0x7fffd7ed5be0) at ldap/servers/slapd/daemon.c:1708 add_fd = <value optimized out> c = 0x7f1d73104cd0 socketdesc = 0 count = 38 next = 0x7f1d73105e50 accept_new_connections = <value optimized out> slapdFrontendConfig = <value optimized out> max_threads_per_conn = 5 n_listeners = <value optimized out> last_accept_new_connections = 1 #10 slapd_daemon (ports=0x7fffd7ed5be0) at ldap/servers/slapd/daemon.c:1165 Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-60.2.el6_7.x86_64 How reproducible: very rarely. Steps to Reproduce: unknown. Additional info: The full stack trace can be found in bz 1247792