01f7e5b Ticket #47375 - flush_ber error sending back start_tls response will deadlock

Authored and Committed by rmeggins 10 years ago
    Ticket #47375 - flush_ber error sending back start_tls response will deadlock
    
    https://fedorahosted.org/389/ticket/47375
    Reviewed by: nkinder (Thanks!)
    Branch: 389-ds-base-1.2.11
    Fix Description: The deadlock is caused by the client (or intermediary network
    device) closing the connection while the server is attempting to write to the
    client, to send back the start tls "success" response.  The server will lock
    the c_mutex to disconnect the connection in this error case.  Since the c_mutex
    has already been locked in start_tls(), the server will deadlock.  The polling
    thread will also attempt to lock c_mutex, deadlocking it too, and the server
    will become completely unresponsive.  The fix for this part is to make sure
    never to call send_ldap_result with c_mutex locked.
    After the server sends back the "success" response, if the
    client immediately issues a TLS session negotiation, the server may not
    have yet completely set up the socket for TLS, and will attempt to use the
    partially setup socket, which can crash.  The fix for this is to setup the
    socket for TLS IO using a Conn_IO_Layer callback, to establish the TLS IO
    for the connection before the next read() operation.
    Platforms tested: RHEL6 x86_64
    Flag Day: no
    Doc impact: no