Bug 1259516 - crash in bind operation csnset_free
crash in bind operation csnset_free
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.1
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-02 16:47 EDT by German Parente
Modified: 2015-09-22 10:06 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-14 12:02:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Full stack trace (177.12 KB, text/plain)
2015-09-02 16:47 EDT, German Parente
no flags Details
access log buffer (525.55 KB, text/plain)
2015-09-02 17:04 EDT, German Parente
no flags Details

  None (edit)
Description German Parente 2015-09-02 16:47:22 EDT
Created attachment 1069590 [details]
Full stack trace

Description of problem:

Server crashes at bind operation when free'ing csn of the internal entry requested for password policy check.

The full bt is in attachment. Here it's an extract:

Core was generated by `/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-SCHAEFFLER-COM -i /var/run/dirsrv/slapd'.
Program terminated with signal 11, Segmentation fault.
#0  csnset_purge (csnset=csnset@entry=0x7fd448101680, 
    csnUpTo=csnUpTo@entry=0x0) at ldap/servers/slapd/csnset.c:323
323					nnext = n->next;



#0  csnset_purge (csnset=csnset@entry=0x7fd448101680, csnUpTo=csnUpTo@entry=0x0) at ldap/servers/slapd/csnset.c:323
#1  0x00007fd4a3e87767 in csnset_free (csnset=csnset@entry=0x7fd448101680) at ldap/servers/slapd/csnset.c:162
#2  0x00007fd4a3f06a89 in value_done (v=0x7fd448101670) at ldap/servers/slapd/value.c:256
#3  0x00007fd4a3f06ab6 in slapi_value_free (v=0x7fd44810e9e0) at ldap/servers/slapd/value.c:241
#4  0x00007fd4a3f07a95 in valuearray_free_ext (va=va@entry=0x7fd4481c1368, idx=<optimized out>, idx@entry=0) at ldap/servers/slapd/valueset.c:323
#5  0x00007fd4a3f07ac7 in valuearray_free (va=va@entry=0x7fd4481c1368) at ldap/servers/slapd/valueset.c:333
#6  0x00007fd4a3f08159 in slapi_valueset_done (vs=vs@entry=0x7fd4481c1358) at ldap/servers/slapd/valueset.c:611
#7  0x00007fd4a3e7d7b8 in attr_done (a=0x7fd4481c1350) at ldap/servers/slapd/attr.c:465
#8  0x00007fd4a3e7d83a in slapi_attr_free (ppa=ppa@entry=0x7fd4747f57f0) at ldap/servers/slapd/attr.c:451
#9  0x00007fd4a3e7ea14 in attrlist_free (alist=<optimized out>) at ldap/servers/slapd/attrlist.c:53
#10 0x00007fd4a3e93810 in slapi_entry_free (e=e@entry=0x7fd44817c880) at ldap/servers/slapd/entry.c:2050
#11 0x00007fd4a439b114 in do_bind (pb=pb@entry=0x7fd4747f7ae0) at ldap/servers/slapd/bind.c:874
#12 0x00007fd4a43a244f in connection_dispatch_operation (pb=0x7fd4747f7ae0, op=0x7fd4a5d2a680, conn=0x7fd480f35880) at ldap/servers/slapd/connection.c:635
#13 connection_threadmain () at ldap/servers/slapd/connection.c:2534
#14 0x00007fd4a22c99db in _pt_root (arg=0x7fd4a5d06890) at ../../../nspr/pr/src/pthreads/ptthread.c:212
#15 0x00007fd4a1c6adf5 in start_thread (arg=0x7fd4747f8700) at pthread_create.c:308
#16 0x00007fd4a19981ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

(gdb) frame 10
#10 0x00007fd4a3e93810 in slapi_entry_free (e=e@entry=0x7fd44817c880) at ldap/servers/slapd/entry.c:2050
2050			attrlist_free(e->e_attrs);
(gdb) print_slapi_entry e
$1 = {flag = 0 '\000', udn = 0x0, dn = 0x0, ndn = 0x0, ndn_len = 0}
$2 = 0x0
$3 = 0x7fd4481e1bb0 ""
$4 = 0x7fd4481bbd90 "com"
$5 = 0x7fd448186670 "dc=com"
$6 = 0x7fd448170eb0 "com"
$7 = 0x7fd4481b58e0 "=com"
$8 = 0x7fd4481710e0 "dc=com"
$9 = 0x7fd448172d60 "dc=com"
$10 = 0x7fd4481825d0 "com"
$11 = 0x7fd448155c90 "dc=com"
$12 = 0x7fd448172af0 "dc=com"
$13 = 0x7fd448182ca0 "dc=com"
$14 = 0x7fd4481c15e0 "com"
$15 = 0x7fd4481dfe60 "dc=com"
$16 = 0x7fd4481e0290 ""
$17 = 0x7fd44817c250 ""
$18 = 0x7fd44817c1d0 ""
$19 = 0x7fd44817c150 "=com"
$20 = 0x7fd44817c090 "P훤\324\177"
$21 = 0x7fd44817c010 "P훤\324\177"
$22 = 0x7fd44817bf90 " 9\233\244\324\177"
$23 = 0x7fd44817bf10 ""
$24 = 0x7fd44817bdf0 "P훤\324\177"
$25 = 0x7fd44817bd70 "P\002"
$26 = 0x7fd448188680 ""
$27 = 0x7fd448188600 ""
$28 = 0x7fd448188580 ""
$29 = 0x0
$30 = 0x7fd4481dd730 "loginShell"
$31 = 0x7fd448138220 "objectClass"
$32 = 0x7fd44809e440 "cn"
$33 = 0x7fd44804f530 "nsUniqueId"
$34 = 0x7fd44804edc0 "entrydn"

(entry seems to be corrupt).

And then, csn:

(gdb) frame 2
#2  0x00007fd4a3f06a89 in value_done (v=0x7fd448101670) at ldap/servers/slapd/value.c:256
256		        csnset_free(&(v->v_csnset));
(gdb) print &(v->v_csnset)->type
$35 = (CSNType *) 0x45 <Address 0x45 out of bounds>
(gdb) 

(gdb) print &(v->v_csnset)->csn.seqnum
$38 = (PRUint16 *) 0x55
(gdb) print &(v->v_csnset)->csn.rid
$39 = (ReplicaId *) 0x57
(gdb) print &(v->v_csnset)->csn.tstamp
$40 = (time_t *) 0x4d

No replica 87 in customer topology.



Version-Release number of selected component (if applicable): 389-ds-base-1.3.3.1-15


How reproducible: it has been reproduced only once at customer site.


Steps to Reproduce:

N/A


Actual results:

Server crashed.


Expected results:


Additional info:

I apologize that unfortunately I have no more info of how to reproduce this or further troubleshoot.
Comment 4 German Parente 2015-09-02 17:04:03 EDT
Created attachment 1069595 [details]
access log buffer

Note You need to log in before you can comment on or make changes to this bug.