Bug 231507 - rhds72 Modification of directory entries with VLV-indexed null-value attributes results in server crash
rhds72 Modification of directory entries with VLV-indexed null-value attribut...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Database - Indexes/Searches (Show other bugs)
7.2
All Linux
medium Severity medium
: DS8.0
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks: 152373 159328 240316
  Show dependency treegraph
 
Reported: 2007-03-08 14:27 EST by Marco Rhodes
Modified: 2016-05-06 10:41 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-06 10:41:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diffs (3.59 KB, patch)
2007-03-08 16:09 EST, Rich Megginson
no flags Details | Diff
cvs commit log (182 bytes, text/plain)
2007-03-14 12:29 EDT, Rich Megginson
no flags Details

  None (edit)
Description Marco Rhodes 2007-03-08 14:27:27 EST
Description of problem:

The crash happens when you have a modify containing an attribute with some
values followed by an attribute with no values, and the attributes are one of
the attributes sorted on by the VLV search.  For example, when you create a
browsing index in the console, it creates a VLV index sorted first by cn, then
givenname, then o, then ou, then sn.  So if the entry you are modifying, prior
to the modify request, has a value for cn, but none for givenname, the server
will crash.
Comment 1 Rich Megginson 2007-03-08 16:09:24 EST
Created attachment 149634 [details]
diffs
Comment 2 Noriko Hosoi 2007-03-08 16:16:53 EST
Your fix looks good.
Comment 3 Rich Megginson 2007-03-14 12:29:02 EDT
Created attachment 150065 [details]
cvs commit log

Reviewed by: nkinder, nhosoi, prowley (Thanks!)
File: ldapserver/ldap/servers/slapd/back-ldbm/vlv.c
Fix Description: The value lowest_value is defined outside the loop that loops
through all the attributes in the vlv sort specification (e.g. usually
something like cn givenname o ou sn if defined by the console browsing index). 
lowest_value is not reset for each loop iteration.  So if it goes through the
loop one time for e.g. givenname, and givenname has values, lowest_value will
point to the lowest value of givenname until the key is created, then it is
freed.	So the next loop iteration uses o, and if for example o does not have
any values, lowest_value will point to the already freed memory used by the
givenname iteration, which is now garbage (e.g. the lowest_value->bv_len may be
very large, which is the probably cause of the malloc out of memory errors seen
by the customer).  The solution is to reset lowest_value to NULL before each
loop iteration (I did this by moving the declaration and initialization of
lowest_value inside the loop scope) and testing for lowest_value == NULL before
trying to use it.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Comment 4 Rich Megginson 2007-03-14 12:36:58 EDT
Commited fix to HEAD.
Checking in vlv.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/vlv.c,v  <--  vlv.c
new revision: 1.13; previous revision: 1.12
done
Comment 5 Chandrasekar Kannan 2007-07-25 15:05:43 EDT
DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be
set to DS8.0. Will make further changes per bug council on 07/24/2007, after this.

Note You need to log in before you can comment on or make changes to this bug.