Bug 1378365 - crash in openldap in test_filter
Summary: crash in openldap in test_filter
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matus Honek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1461138
TreeView+ depends on / blocked
 
Reported: 2016-09-22 09:27 UTC by German Parente
Modified: 2021-03-11 14:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-29 15:29:52 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
OpenLDAP ITS 8013 0 None None None 2016-09-22 11:53:18 UTC

Description German Parente 2016-09-22 09:27:15 UTC 
Description of problem:

Server is crashing with this backtrace:


#0  test_filter (op=0x7f8ac433be40, e=0x7f8afd51a348, f=0xb)
    at ../../../servers/slapd/filterentry.c:69
69		if ( f->f_choice & SLAPD_FILTER_UNDEFINED ) {
(gdb) bt
#0  test_filter (op=0x7f8ac433be40, e=0x7f8afd51a348, f=0xb)
    at ../../../servers/slapd/filterentry.c:69
#1  0x00007f8af7e35d11 in syncprov_matchops (op=0x7f8ac433d3f0, 
    opc=0x7f8ab8004258, saveit=0)
    at ../../../../servers/slapd/overlays/syncprov.c:1316
#2  0x00007f8af7e36aa0 in syncprov_op_response (op=0x7f8ac433d3f0, 
    rs=<value optimized out>)
    at ../../../../servers/slapd/overlays/syncprov.c:1939
#3  0x00007f8afbfb59de in slap_response_play (op=0x7f8ac433d3f0, 
    rs=0x7f8ac433caf0) at ../../../servers/slapd/result.c:507
#4  0x00007f8afbfb65a0 in send_ldap_response (op=0x7f8ac433d3f0, 
    rs=0x7f8ac433caf0) at ../../../servers/slapd/result.c:582
#5  0x00007f8afbfb756f in slap_send_ldap_result (op=0x7f8ac433d3f0, 
    rs=0x7f8ac433caf0) at ../../../servers/slapd/result.c:860
#6  0x00007f8afc02ee15 in hdb_modify (op=0x7f8ac433d3f0, rs=0x7f8ac433caf0)
    at modify.c:802
#7  0x00007f8afc014457 in overlay_op_walk (op=0x7f8ac433d3f0, 
    rs=0x7f8ac433caf0, which=op_modify, oi=0x7f8afd5979a0, on=0x0)
    at ../../../servers/slapd/backover.c:671
#8  0x00007f8afc014eb4 in over_op_func (op=0x7f8ac433d3f0, 
    rs=<value optimized out>, which=<value optimized out>)
    at ../../../servers/slapd/backover.c:723
#9  0x00007f8afc00e4b5 in syncrepl_entry (op=0x7f8ac433d3f0, si=0x7f8ae8140150)
---Type <return> to continue, or q <return> to quit---
    at ../../../servers/slapd/syncrepl.c:3176
#10 do_syncrep2 (op=0x7f8ac433d3f0, si=0x7f8ae8140150)
    at ../../../servers/slapd/syncrepl.c:1024
#11 0x00007f8afc0104dd in do_syncrepl (ctx=<value optimized out>, 
    arg=0x7f8ae8135cf0) at ../../../servers/slapd/syncrepl.c:1539
#12 0x00007f8afbfa6246 in connection_read_thread (ctx=0x7f8ac433db70, 
    argv=<value optimized out>) at ../../../servers/slapd/connection.c:1293
#13 0x00007f8afbaf1ce8 in ldap_int_thread_pool_wrapper (xpool=0x7f8afd4e0d10)
    at ../../../libraries/libldap_r/tpool.c:688
#14 0x00007f8af9ab99d1 in start_thread (arg=0x7f8ac433e700)
    at pthread_create.c:255
#15 0x00007f8af95fb8fd in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:77
#16 0x0000000000000000 in ?? ()

as the filter is NULL

(gdb) print f
$1 = (Filter *) 0xb

the access to f->f_choice provokes the crash.




this seems similar to 

=================================================================
Bug 1111007 - slapd crashed by segfault while syncrepl processing
=================================================================

that was closed by "insufficient data"

 
Version-Release number of selected component (if applicable): openldap-2.4.40-12.el6.x86_64


How reproducible: sometimes.


Additional info:


seems to be exactly the stacktrace found in:

======================================================================
Fixed slapo-syncprov synprov_matchops usage of test_filter (ITS#8013)
======================================================================

which has been fixed in 2015. But I don't know how to access the source coude of this ITS so as to make a test package to give to the customer.

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8013

where it shows the same stack trace:


(0) /opt/openldap.devel/libexec/slapd() [0x442f07]: test_filter
/home/ly/Projects/openldap.git/servers/slapd/filterentry.c:69
(1) /opt/openldap.devel/libexec/slapd() [0x514721]: syncprov_matchops
/home/ly/Projects/openldap.git/servers/slapd/overlays/syncprov.c:1316
(2) /opt/openldap.devel/libexec/slapd() [0x514b83]: syncprov_op_mod
/home/ly/Projects/openldap.git/servers/slapd/overlays/syncprov.c:2145
(3) /opt/openldap.devel/libexec/slapd() [0x48b31a]: overlay_op_walk
/home/ly/Projects/openldap.git/servers/slapd/backover.c:662
(4) /opt/openldap.devel/libexec/slapd() [0x48b4c1]: over_op_func
/home/ly/Projects/openldap.git/servers/slapd/backover.c:724
(5) /opt/openldap.devel/libexec/slapd() [0x4811a6]: syncrepl_entry
/home/ly/Projects/openldap.git/servers/slapd/syncrepl.c:3177
do_syncrep2
/home/ly/Projects/openldap.git/servers/slapd/syncrepl.c:10%0
(6) /opt/openldap.devel/libexec/slapd() [0x4844b2]: do_syncrepl
/home/ly/Projects/openldap.git/servers/slapd/syncrepl.c:1539


Is it possible to backport it to our rhel6 / rhel7 versions ?

thanks a lot.

German.
Comment 2 Matus Honek 2016-09-22 11:53:18 UTC 
Thanks for the prior investigation!

The commit for ITS#8013 is this one (unfortunately, one has to search commit messages):
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=44a8ab7143179974ec2b54995ebf13b2a40f111c
Note You need to log in before you can comment on or make changes to this bug.