Bug 231507

Summary: rhds72 Modification of directory entries with VLV-indexed null-value attributes results in server crash
Product: Red Hat Directory Server Reporter: Marco Rhodes <mrhodes>
Component: Database - Indexes/SearchesAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: nhosoi
Target Milestone: DS8.0   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-06 14:41:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 159328, 240316    
Attachments:
Description Flags
diffs
none
cvs commit log none

Description Marco Rhodes 2007-03-08 19:27:27 UTC
Description of problem:

The crash happens when you have a modify containing an attribute with some
values followed by an attribute with no values, and the attributes are one of
the attributes sorted on by the VLV search.  For example, when you create a
browsing index in the console, it creates a VLV index sorted first by cn, then
givenname, then o, then ou, then sn.  So if the entry you are modifying, prior
to the modify request, has a value for cn, but none for givenname, the server
will crash.

Comment 1 Rich Megginson 2007-03-08 21:09:24 UTC
Created attachment 149634 [details]
diffs

Comment 2 Noriko Hosoi 2007-03-08 21:16:53 UTC
Your fix looks good.

Comment 3 Rich Megginson 2007-03-14 16:29:02 UTC
Created attachment 150065 [details]
cvs commit log

Reviewed by: nkinder, nhosoi, prowley (Thanks!)
File: ldapserver/ldap/servers/slapd/back-ldbm/vlv.c
Fix Description: The value lowest_value is defined outside the loop that loops
through all the attributes in the vlv sort specification (e.g. usually
something like cn givenname o ou sn if defined by the console browsing index). 
lowest_value is not reset for each loop iteration.  So if it goes through the
loop one time for e.g. givenname, and givenname has values, lowest_value will
point to the lowest value of givenname until the key is created, then it is
freed.	So the next loop iteration uses o, and if for example o does not have
any values, lowest_value will point to the already freed memory used by the
givenname iteration, which is now garbage (e.g. the lowest_value->bv_len may be
very large, which is the probably cause of the malloc out of memory errors seen
by the customer).  The solution is to reset lowest_value to NULL before each
loop iteration (I did this by moving the declaration and initialization of
lowest_value inside the loop scope) and testing for lowest_value == NULL before
trying to use it.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

Comment 4 Rich Megginson 2007-03-14 16:36:58 UTC
Commited fix to HEAD.
Checking in vlv.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/vlv.c,v  <--  vlv.c
new revision: 1.13; previous revision: 1.12
done


Comment 5 Chandrasekar Kannan 2007-07-25 19:05:43 UTC
DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be
set to DS8.0. Will make further changes per bug council on 07/24/2007, after this.