|
 |
dc8c34 |
From 9795451b028a048021af153ac39094578e4f1e50 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
dc8c34 |
Date: Tue, 29 Apr 2014 17:34:47 -0700
|
|
|
dc8c34 |
Subject: [PATCH 115/115] Ticket #47707 - 389 DS Server crashes and dies while
|
|
|
dc8c34 |
handles paged searches from clients
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Bug Description: If a simple paged search request was sent to the server
|
|
|
dc8c34 |
and the request was abandoned, the paged result slot in the connection
|
|
|
dc8c34 |
table was not properly released by setting NULL to pr_current_be. Since
|
|
|
dc8c34 |
the slot did not look available for the next request even though it was,
|
|
|
dc8c34 |
the next request failed to get the valid slot number, and the initial slot
|
|
|
dc8c34 |
number -1 failed to be replaced with the real slot number. Until the fix
|
|
|
dc8c34 |
for "Ticket #47623 fix memleak caused by 47347" was made, it overrode the
|
|
|
dc8c34 |
allocated array's [-1] location, which usually stores the meta data of the
|
|
|
dc8c34 |
allocated memory. That crashed the server in the next realloc since the
|
|
|
dc8c34 |
corrupted memory was passed to the function.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Fix Description: This patch cleans up the abandoned/cleaned up slot for
|
|
|
dc8c34 |
reuse. Also, more check not to break the meta data is added.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Special thanks to German Parente (gparente@redhat.com) for providing the
|
|
|
dc8c34 |
reproducer and analysing the crash.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47707
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Reviewed by rmeggins@redhat.com (Thanks, Rich!)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
(cherry picked from commit 087356f7eaff2dff3c0c4f7dfcaa6aacc9979224)
|
|
|
dc8c34 |
(cherry picked from commit 2132875746ed9e1fc7c9c53450241c91d0c5ae55)
|
|
|
dc8c34 |
(cherry picked from commit 40e86e74fb4ecc0fc5a1027d8241945d9b2564e0)
|
|
|
dc8c34 |
(cherry picked from commit b2ee65dd6c4af4f2cab515406a6f7fd9f1dc4dcc)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/pagedresults.c | 7 ++++++-
|
|
|
dc8c34 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
|
|
|
dc8c34 |
index 9af5773..edd76c6 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/pagedresults.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/pagedresults.c
|
|
|
dc8c34 |
@@ -130,7 +130,8 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
- if (!conn->c_pagedresults.prl_list[*index].pr_mutex) {
|
|
|
dc8c34 |
+ if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
|
|
|
dc8c34 |
+ !conn->c_pagedresults.prl_list[*index].pr_mutex) {
|
|
|
dc8c34 |
conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
conn->c_pagedresults.prl_count++;
|
|
|
dc8c34 |
@@ -270,6 +271,7 @@ pagedresults_free_one( Connection *conn, Operation *op, int index )
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release &&
|
|
|
dc8c34 |
prp->pr_search_result_set) {
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
|
|
|
dc8c34 |
+ prp->pr_current_be = NULL;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
if (prp->pr_mutex) {
|
|
|
dc8c34 |
/* pr_mutex is reused; back it up and reset it. */
|
|
|
dc8c34 |
@@ -307,6 +309,7 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release &&
|
|
|
dc8c34 |
prp->pr_search_result_set) {
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
|
|
|
dc8c34 |
+ prp->pr_current_be = NULL;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
prp->pr_flags |= CONN_FLAG_PAGEDRESULTS_ABANDONED;
|
|
|
dc8c34 |
prp->pr_flags &= ~CONN_FLAG_PAGEDRESULTS_PROCESSING;
|
|
|
dc8c34 |
@@ -724,6 +727,7 @@ pagedresults_cleanup(Connection *conn, int needlock)
|
|
|
dc8c34 |
if (prp->pr_current_be && prp->pr_search_result_set &&
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release) {
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
|
|
|
dc8c34 |
+ prp->pr_current_be = NULL;
|
|
|
dc8c34 |
rc = 1;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
if (prp->pr_mutex) {
|
|
|
dc8c34 |
@@ -771,6 +775,7 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
|
|
|
dc8c34 |
if (prp->pr_current_be && prp->pr_search_result_set &&
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release) {
|
|
|
dc8c34 |
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
|
|
|
dc8c34 |
+ prp->pr_current_be = NULL;
|
|
|
dc8c34 |
rc = 1;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.8.1.4
|
|
|
dc8c34 |
|