Bug 663597 - massive memory leak in 1.2.7.4
Summary: massive memory leak in 1.2.7.4
Status: CLOSED ERRATA
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.2.7
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 389_1.2.7 636700 639035 CVE-2010-4746
TreeView+ depends on / blocked
 
Reported: 2010-12-16 10:52 UTC by Adrian Bridgett
Modified: 2015-01-04 23:45 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-01-03 19:54:22 UTC


Attachments (Terms of Use)
Patch (2.57 KB, patch)
2010-12-16 16:09 UTC, Nathan Kinder
nkinder: review?
rmeggins: review+
Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0003 normal SHIPPED_LIVE redhat-ds-base bug fix update 2011-01-03 19:54:07 UTC

Description Adrian Bridgett 2010-12-16 10:52:39 UTC
Description of problem:
massive memory leak

Version-Release number of selected component (if applicable):
1.2.7.4

How reproducible:
every time

Steps to Reproduce:
we were running 1.2.7.1 and upon upgrading to 1.2.7.4 it leaks about 500MB/10mins

Additional info:
we make extensive use of memberof plugin

downgrading to 1.2.7.1 seems okay so far (early days!)

Comment 1 Nathan Kinder 2010-12-16 15:09:35 UTC
What platform are you on?  How do you have memberOf configured?  What operations are being performed when you notice the process growth?

Comment 2 Adrian Bridgett 2010-12-16 16:01:48 UTC
rhel 5.5, x86_64

operations wise it's a little hard to say, nothing unusual, however we certainly have some badly behaved applications which will set attributes to a value that they are already set to (i.e. a fairly pointless operation).

Looking at our install notes we enable four plugins:

attribute uniqueness (enable, arguments are defaults)
arguments 1: uid
arguments 2: dc=ds,dc=example,dc=com

referential integrity postoperation (enable, add argument #8)
arguments 1: 0
arguments 2: /var/log/dirsrv/slapd-ds2/referint
arguments 3: 0
arguments 4: member
arguments 5: uniquemember
arguments 6: owner
arguments 7: seeAlso
arguments 8: manager

Space Insensitive String Syntax (enable)

MemberOf Plugin (enable + change below)
Advanced -> memberofgroupattr: uniqueMember (default is member)

Comment 3 Nathan Kinder 2010-12-16 16:09:40 UTC
Created attachment 469157 [details]
Patch

Comment 4 Adrian Bridgett 2010-12-16 16:18:38 UTC
blimey that's impressively quick! FYI we'll be moving to redhat directory
server (it's only fair that you get some support money for this after all). 
Many thanks :-)

Comment 5 Nathan Kinder 2010-12-16 16:20:15 UTC
Pushed to master.  Thanks to Rich for his review!

Counting objects: 13, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 913 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   f977972..4da627a  master -> master

Comment 7 Rich Megginson 2010-12-16 17:03:55 UTC
commit cea436bedbf40c2c29dfb325e2d6266c371cf2a9
Author: Nathan Kinder <nkinder@redhat.com>
Date:   Thu Dec 16 08:02:46 2010 -0800

branch 389-ds-base-1.2.7

Comment 8 Nathan Kinder 2010-12-16 22:45:50 UTC
This will be fixed in 389-ds-base-1.2.7.5, which should hit the updates-testing repos in the next few days.

Comment 10 Noriko Hosoi 2010-12-21 21:50:59 UTC
Preparation:
1) Downloaded the SRC RPM file and installed it on the local host.
http://download.devel.redhat.com/brewroot/packages/redhat-ds-base/8.2.3/2.el4dsrv/src/redhat-ds-base-8.2.3-2.el4dsrv.src.rpm

2) Checked out the source tree ds.git origin/Directory_Server_8_2_Branch 

Commit comment:
commit 3e170da37a4f8a15b1342430cc2a912bb8b99872
Author: Nathan Kinder <nkinder@redhat.com>
Date:   Thu Dec 16 08:02:46 2010 -0800

    Bug 663597 - Memory leaks in normalization code

    The DN normalization code uses a Slapi_Attr on the stack to avoid
    allocation of the struct.  The contents of the Slapi_Attr are
    never freed.  This patch ensure that the struct is cleared out
    properly.

    There was also a leak in the syntax normalization code where a
    pointer to recently allocated string could get overwritten without
    freeing the string first.  This patch frees the string first.

Committed patch:
diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c
index ba30871..6d3fe8c 100644
--- a/ldap/servers/slapd/attrsyntax.c
+++ b/ldap/servers/slapd/attrsyntax.c
@@ -469,14 +469,14 @@ char *
 slapi_attr_syntax_normalize( const char *s )
 {
        struct asyntaxinfo *asi = NULL;
-       char *r;
-
+       char *r = NULL;

-    if((asi=attr_syntax_get_by_name(s)) != NULL ) {
+       if((asi=attr_syntax_get_by_name(s)) != NULL ) {
                r = slapi_ch_strdup(asi->asi_name);
                attr_syntax_return( asi );
        }
        if ( NULL == asi ) {
+               slapi_ch_free_string( &r );
                r = attr_syntax_normalize_no_lookup( s );
        }
        return r;
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 227a41e..8e0d0fa 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -572,6 +572,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len)

                 slapi_attr_init(&test_attr, typestart);
                 is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr);
+                attr_done(&test_attr);

                 /* Reset the character we modified. */
                 *d = savechar;
@@ -592,6 +593,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len)

                 slapi_attr_init(&test_attr, typestart);
                 is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr);
+                attr_done(&test_attr);

                 /* Reset the character we modified. */
                 *d = savechar;
@@ -612,6 +614,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len)

                 slapi_attr_init(&test_attr, typestart);
                 is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr);
+                attr_done(&test_attr);

                 /* Reset the character we modified. */
                 *d = savechar;

Compare attrsyntax.c from SRC RPM with the one from git.ds -- MATCHED:
# diff rpmbuild/SOURCES/redhat-ds-base-8.2.3/ldap/servers/slapd/attrsyntax.c /export/src/ds82/ldapserver/ldap/servers/slapd/attrsyntax.c
#

Compare dn.c from SRC RPM with the one from git.ds -- MATCHED:
# diff rpmbuild/SOURCES/redhat-ds-base-8.2.3/ldap/servers/slapd/dn.c /export/src/ds82/ldapserver/ldap/servers/slapd/dn.c
#

Comment 13 errata-xmlrpc 2011-01-03 19:54:22 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0003.html


Note You need to log in before you can comment on or make changes to this bug.