Bug 458677 - Memory leaks in index code doing indexed & range & matching rule searches
Summary: Memory leaks in index code doing indexed & range & matching rule searches
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: 389
Classification: Retired
Component: Database - Indexes/Searches
Version: 1.1.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 249650 FDS112 453229 CVE-2008-3283
TreeView+ depends on / blocked
 
Reported: 2008-08-11 14:57 UTC by Rich Megginson
Modified: 2015-01-04 23:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-27 20:39:21 UTC
Embargoed:


Attachments (Terms of Use)
diffs (3.42 KB, patch)
2008-08-11 14:58 UTC, Rich Megginson
no flags Details | Diff
cvs commit log - DS8.0 (192 bytes, text/plain)
2008-08-12 22:30 UTC, Rich Megginson
no flags Details
cvs commit log - HEAD (186 bytes, text/plain)
2008-08-27 21:10 UTC, Rich Megginson
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0602 0 normal SHIPPED_LIVE Moderate: redhat-ds-base and redhat-ds-admin security and bug fix update 2008-08-27 20:38:30 UTC

Description Rich Megginson 2008-08-11 14:57:15 UTC
This leak occurs when doing ranged, indexed searches.  The code calls index2prefix to get the index prefix.  In the case of a matching rule search, this prefix is allocated.  The function free_prefix was not being called in all cases.

Comment 1 Rich Megginson 2008-08-11 14:58:08 UTC
Created attachment 313973 [details]
diffs

Comment 2 Nathan Kinder 2008-08-11 15:37:30 UTC
Does free_prefix() deal with the passed parameter being NULL properly?

Comment 3 Rich Megginson 2008-08-11 15:49:13 UTC
(In reply to comment #2)
> Does free_prefix() deal with the passed parameter being NULL properly?

Yes.
static void
free_prefix (char* prefix)
{
    if (prefix == NULL ||
	prefix == prefix_PRESENCE ||
	prefix == prefix_EQUALITY ||
	prefix == prefix_APPROX ||
	prefix == prefix_SUB) {
	/* do nothing */
    } else {
	slapi_ch_free( (void**)&prefix);
    }
}

Comment 4 Rich Megginson 2008-08-11 16:49:42 UTC
This bug can be triggered by an anonymous user.  There is no easy way to mitigate this issue - either disable the index, or disallow anonymous searches.

Comment 5 Rich Megginson 2008-08-12 22:30:33 UTC
Created attachment 314150 [details]
cvs commit log - DS8.0

Reviewed by: nkinder (Thanks!)
Fix Description: This leak occurs when doing ranged, indexed searches.  The code calls
index2prefix to get the index prefix.  In the case of a matching rule search,
this prefix is allocated.  The function free_prefix was not being called in all
cases.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

Comment 7 Jenny Severance 2008-08-19 20:30:28 UTC
How can QE verify this?  What to look for in the valgrind output?

Comment 8 Rich Megginson 2008-08-19 20:39:04 UTC
(In reply to comment #7)
> How can QE verify this?  What to look for in the valgrind output?

Look for a memory leak in index_range_read()

Comment 9 Jenny Severance 2008-08-21 17:49:17 UTC
verified 8.0 RHEL4-32, RHEL4-64, RHEL5-32, RHEL5-64

Comment 12 errata-xmlrpc 2008-08-27 20:39:21 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0602.html

Comment 13 Rich Megginson 2008-08-27 21:10:22 UTC
Created attachment 315150 [details]
cvs commit log - HEAD


Note You need to log in before you can comment on or make changes to this bug.