ldap/servers/slapd/pagedresults.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit b2ee65dd6c4af4f2cab515406a6f7fd9f1dc4dcc
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 29 17:34:47 2014 -0700
Ticket #47707 - 389 DS Server crashes and dies while handles paged searches from clients
Bug Description: If a simple paged search request was sent to the server
and the request was abandoned, the paged result slot in the connection
table was not properly released by setting NULL to pr_current_be. Since
the slot did not look available for the next request even though it was,
the next request failed to get the valid slot number, and the initial slot
number -1 failed to be replaced with the real slot number. Until the fix
for "Ticket #47623 fix memleak caused by 47347" was made, it overrode the
allocated array's [-1] location, which usually stores the meta data of the
allocated memory. That crashed the server in the next realloc since the
corrupted memory was passed to the function.
Fix Description: This patch cleans up the abandoned/cleaned up slot for
reuse. Also, more check not to break the meta data is added.
Special thanks to German Parente (gparente(a)redhat.com) for providing the
reproducer and analysing the crash.
https://fedorahosted.org/389/ticket/47707
Reviewed by rmeggins(a)redhat.com (Thanks, Rich!)
(cherry picked from commit 087356f7eaff2dff3c0c4f7dfcaa6aacc9979224)
(cherry picked from commit 2132875746ed9e1fc7c9c53450241c91d0c5ae55)
(cherry picked from commit 40e86e74fb4ecc0fc5a1027d8241945d9b2564e0)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 9af5773..edd76c6 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -130,7 +130,8 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
}
}
- if (!conn->c_pagedresults.prl_list[*index].pr_mutex) {
+ if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
+ !conn->c_pagedresults.prl_list[*index].pr_mutex) {
conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
}
conn->c_pagedresults.prl_count++;
@@ -270,6 +271,7 @@ pagedresults_free_one( Connection *conn, Operation *op, int index )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
if (prp->pr_mutex) {
/* pr_mutex is reused; back it up and reset it. */
@@ -307,6 +309,7 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
prp->pr_flags |= CONN_FLAG_PAGEDRESULTS_ABANDONED;
prp->pr_flags &= ~CONN_FLAG_PAGEDRESULTS_PROCESSING;
@@ -724,6 +727,7 @@ pagedresults_cleanup(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
if (prp->pr_mutex) {
@@ -771,6 +775,7 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
}
ldap/servers/slapd/pagedresults.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 40e86e74fb4ecc0fc5a1027d8241945d9b2564e0
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 29 17:34:47 2014 -0700
Ticket #47707 - 389 DS Server crashes and dies while handles paged searches from clients
Bug Description: If a simple paged search request was sent to the server
and the request was abandoned, the paged result slot in the connection
table was not properly released by setting NULL to pr_current_be. Since
the slot did not look available for the next request even though it was,
the next request failed to get the valid slot number, and the initial slot
number -1 failed to be replaced with the real slot number. Until the fix
for "Ticket #47623 fix memleak caused by 47347" was made, it overrode the
allocated array's [-1] location, which usually stores the meta data of the
allocated memory. That crashed the server in the next realloc since the
corrupted memory was passed to the function.
Fix Description: This patch cleans up the abandoned/cleaned up slot for
reuse. Also, more check not to break the meta data is added.
Special thanks to German Parente (gparente(a)redhat.com) for providing the
reproducer and analysing the crash.
https://fedorahosted.org/389/ticket/47707
Reviewed by rmeggins(a)redhat.com (Thanks, Rich!)
(cherry picked from commit 087356f7eaff2dff3c0c4f7dfcaa6aacc9979224)
(cherry picked from commit 2132875746ed9e1fc7c9c53450241c91d0c5ae55)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 9af5773..edd76c6 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -130,7 +130,8 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
}
}
- if (!conn->c_pagedresults.prl_list[*index].pr_mutex) {
+ if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
+ !conn->c_pagedresults.prl_list[*index].pr_mutex) {
conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
}
conn->c_pagedresults.prl_count++;
@@ -270,6 +271,7 @@ pagedresults_free_one( Connection *conn, Operation *op, int index )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
if (prp->pr_mutex) {
/* pr_mutex is reused; back it up and reset it. */
@@ -307,6 +309,7 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
prp->pr_flags |= CONN_FLAG_PAGEDRESULTS_ABANDONED;
prp->pr_flags &= ~CONN_FLAG_PAGEDRESULTS_PROCESSING;
@@ -724,6 +727,7 @@ pagedresults_cleanup(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
if (prp->pr_mutex) {
@@ -771,6 +775,7 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
}
ldap/servers/slapd/pagedresults.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 2132875746ed9e1fc7c9c53450241c91d0c5ae55
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 29 17:34:47 2014 -0700
Ticket #47707 - 389 DS Server crashes and dies while handles paged searches from clients
Bug Description: If a simple paged search request was sent to the server
and the request was abandoned, the paged result slot in the connection
table was not properly released by setting NULL to pr_current_be. Since
the slot did not look available for the next request even though it was,
the next request failed to get the valid slot number, and the initial slot
number -1 failed to be replaced with the real slot number. Until the fix
for "Ticket #47623 fix memleak caused by 47347" was made, it overrode the
allocated array's [-1] location, which usually stores the meta data of the
allocated memory. That crashed the server in the next realloc since the
corrupted memory was passed to the function.
Fix Description: This patch cleans up the abandoned/cleaned up slot for
reuse. Also, more check not to break the meta data is added.
Special thanks to German Parente (gparente(a)redhat.com) for providing the
reproducer and analysing the crash.
https://fedorahosted.org/389/ticket/47707
Reviewed by rmeggins(a)redhat.com (Thanks, Rich!)
(cherry picked from commit 087356f7eaff2dff3c0c4f7dfcaa6aacc9979224)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 9af5773..edd76c6 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -130,7 +130,8 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
}
}
- if (!conn->c_pagedresults.prl_list[*index].pr_mutex) {
+ if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
+ !conn->c_pagedresults.prl_list[*index].pr_mutex) {
conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
}
conn->c_pagedresults.prl_count++;
@@ -270,6 +271,7 @@ pagedresults_free_one( Connection *conn, Operation *op, int index )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
if (prp->pr_mutex) {
/* pr_mutex is reused; back it up and reset it. */
@@ -307,6 +309,7 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
prp->pr_flags |= CONN_FLAG_PAGEDRESULTS_ABANDONED;
prp->pr_flags &= ~CONN_FLAG_PAGEDRESULTS_PROCESSING;
@@ -724,6 +727,7 @@ pagedresults_cleanup(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
if (prp->pr_mutex) {
@@ -771,6 +775,7 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
}
ldap/servers/slapd/pagedresults.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 087356f7eaff2dff3c0c4f7dfcaa6aacc9979224
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 29 17:34:47 2014 -0700
Ticket #47707 - 389 DS Server crashes and dies while handles paged searches from clients
Bug Description: If a simple paged search request was sent to the server
and the request was abandoned, the paged result slot in the connection
table was not properly released by setting NULL to pr_current_be. Since
the slot did not look available for the next request even though it was,
the next request failed to get the valid slot number, and the initial slot
number -1 failed to be replaced with the real slot number. Until the fix
for "Ticket #47623 fix memleak caused by 47347" was made, it overrode the
allocated array's [-1] location, which usually stores the meta data of the
allocated memory. That crashed the server in the next realloc since the
corrupted memory was passed to the function.
Fix Description: This patch cleans up the abandoned/cleaned up slot for
reuse. Also, more check not to break the meta data is added.
Special thanks to German Parente (gparente(a)redhat.com) for providing the
reproducer and analysing the crash.
https://fedorahosted.org/389/ticket/47707
Reviewed by rmeggins(a)redhat.com (Thanks, Rich!)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 9af5773..edd76c6 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -130,7 +130,8 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
}
}
- if (!conn->c_pagedresults.prl_list[*index].pr_mutex) {
+ if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
+ !conn->c_pagedresults.prl_list[*index].pr_mutex) {
conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
}
conn->c_pagedresults.prl_count++;
@@ -270,6 +271,7 @@ pagedresults_free_one( Connection *conn, Operation *op, int index )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
if (prp->pr_mutex) {
/* pr_mutex is reused; back it up and reset it. */
@@ -307,6 +309,7 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
prp->pr_current_be->be_search_results_release &&
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
}
prp->pr_flags |= CONN_FLAG_PAGEDRESULTS_ABANDONED;
prp->pr_flags &= ~CONN_FLAG_PAGEDRESULTS_PROCESSING;
@@ -724,6 +727,7 @@ pagedresults_cleanup(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
if (prp->pr_mutex) {
@@ -771,6 +775,7 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
if (prp->pr_current_be && prp->pr_search_result_set &&
prp->pr_current_be->be_search_results_release) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ prp->pr_current_be = NULL;
rc = 1;
}
}
ldap/servers/plugins/dna/dna.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
New commits:
commit f94bfa1917c95f2e93e43fb78c57a6cea96df69c
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Apr 28 11:02:14 2014 -0400
Ticket 477779 - Need to lock server list when removing list
Description: Need to hold the write lock when deleting the server list.
There is no need to lock the list in the close function,
as all active threads should be stopped. In 1.3.3, the
dynamic plugin feature will also safely handle the plugin
shutdown.
https://fedorahosted.org/389/ticket/47779
Reviewed by: tbordaz(Thanks!)
(cherry picked from commit 2b98dcaf83fba3ea4fc52c2b8cad6deea02cb0e5)
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 5ef5713..6e0c481 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -725,11 +725,9 @@ dna_load_shared_servers()
struct dnaServer *server = NULL, *global_servers = NULL;
PRCList *server_list = NULL;
PRCList *config_list = NULL;
+ int freed_servers = 0;
int ret = 0;
- /* First free the existing list. */
- dna_delete_global_servers();
-
/* Now build the new list. */
dna_write_lock();
if (!PR_CLIST_IS_EMPTY(dna_global_config)) {
@@ -747,6 +745,10 @@ dna_load_shared_servers()
}
dna_server_write_lock();
+ if(!freed_servers){
+ dna_delete_global_servers();
+ freed_servers = 1;
+ }
if (shared_list) {
server_list = PR_LIST_HEAD(shared_list);
while (server_list != shared_list) {
ldap/servers/plugins/dna/dna.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
New commits:
commit 9cf2aa34cf74cfa8f8d161743916615bd8ffccc6
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Apr 28 11:02:14 2014 -0400
Ticket 477779 - Need to lock server list when removing list
Description: Need to hold the write lock when deleting the server list.
There is no need to lock the list in the close function,
as all active threads should be stopped. In 1.3.3, the
dynamic plugin feature will also safely handle the plugin
shutdown.
https://fedorahosted.org/389/ticket/47779
Reviewed by: tbordaz(Thanks!)
(cherry picked from commit 2b98dcaf83fba3ea4fc52c2b8cad6deea02cb0e5)
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index f8f2813..490f32b 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -725,11 +725,9 @@ dna_load_shared_servers()
struct dnaServer *server = NULL, *global_servers = NULL;
PRCList *server_list = NULL;
PRCList *config_list = NULL;
+ int freed_servers = 0;
int ret = 0;
- /* First free the existing list. */
- dna_delete_global_servers();
-
/* Now build the new list. */
dna_write_lock();
if (!PR_CLIST_IS_EMPTY(dna_global_config)) {
@@ -747,6 +745,10 @@ dna_load_shared_servers()
}
dna_server_write_lock();
+ if(!freed_servers){
+ dna_delete_global_servers();
+ freed_servers = 1;
+ }
if (shared_list) {
server_list = PR_LIST_HEAD(shared_list);
while (server_list != shared_list) {
ldap/servers/plugins/dna/dna.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
New commits:
commit 2b98dcaf83fba3ea4fc52c2b8cad6deea02cb0e5
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Apr 28 11:02:14 2014 -0400
Ticket 477779 - Need to lock server list when removing list
Description: Need to hold the write lock when deleting the server list.
There is no need to lock the list in the close function,
as all active threads should be stopped. In 1.3.3, the
dynamic plugin feature will also safely handle the plugin
shutdown.
https://fedorahosted.org/389/ticket/47779
Reviewed by: tbordaz(Thanks!)
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index e9453a4..d7049f9 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -700,11 +700,9 @@ dna_load_shared_servers()
struct dnaServer *server = NULL, *global_servers = NULL;
PRCList *server_list = NULL;
PRCList *config_list = NULL;
+ int freed_servers = 0;
int ret = 0;
- /* First free the existing list. */
- dna_delete_global_servers();
-
/* Now build the new list. */
dna_write_lock();
if (!PR_CLIST_IS_EMPTY(dna_global_config)) {
@@ -722,6 +720,10 @@ dna_load_shared_servers()
}
dna_server_write_lock();
+ if(!freed_servers){
+ dna_delete_global_servers();
+ freed_servers = 1;
+ }
if (shared_list) {
server_list = PR_LIST_HEAD(shared_list);
while (server_list != shared_list) {