#48226 In MMR, double free coould occur under some special condition
Closed None Opened 4 years ago by tbordaz.

Symptom:
    In a replicated topology, a authenticated user that have write access on an entry 
    can send a series of operations that crash the server.
    The crash is due to an access to a already freed buffer.

Impact:
    If the user can reproduce the series of operations the crash is systematic.

Reviewed by Rich (Thank you!!)

Pushed to master:
193d79d..f5d2445 master -> master
commit a0f8e0f
commit f5d2445

Pushed to 389-ds-base-1.3.4:
9109a57..8600a5e 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit bdbc81e
commit 8600a5e

Pushed to 389-ds-base-1.3.3:
0704386..dfcfa55 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit de1b027
commit dfcfa55

A leak was found in the patch 0001-Ticket-48226-In-MMR-double-free-coould-occur-under-s.patch​

{{{
==3150== 32 bytes in 1 blocks are definitely lost in loss record 442 of 1,280
==3150== at 0x4A0645D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3150== by 0x4C61F92: slapi_ch_malloc (ch_malloc.c:113)
==3150== by 0x4C653B1: csnset_add_csn (csnset.c:30)
==3150== by 0x4C6585E: csnset_dup (csnset.c:352)
^^^^^^^^^^
==3150== by 0x4CE4B35: valueset_update_csn_for_valuearray_ext (valueset.c:1420)
==3150== by 0x4C78A04: entry_delete_present_values_wsi.isra.5 (entrywsi.c:811)
==3150== by 0x4C7923E: entry_apply_mod_wsi (entrywsi.c:911)
==3150== by 0x4C7933E: entry_apply_mods_wsi (entrywsi.c:986)
==3150== by 0xA1A9A97: modify_apply_check_expand.isra.1 (ldbm_modify.c:247)
==3150== by 0xA1AB260: ldbm_back_modify (ldbm_modify.c:626)
==3150== by 0x4C9D4DC: op_shared_modify (modify.c:1054)
==3150== by 0x4C9E846: do_modify (modify.c:387)
==3150== by 0x418610: connection_threadmain (connection.c:619)
==3150== by 0x3A84828C2A: _pt_root (ptthread.c:212)
==3150== by 0x3A79407EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==3150== by 0x3A790F4D1C: clone (in /usr/lib64/libc-2.18.so)
}}}

git patch file (master) -- additinal fix for the memory leak (regression by the previous patch)
0001-Ticket-48226-In-MMR-double-free-coould-occur-under-s.2.patch

Reviewed by Mark (Thank you!!)

Pushed to master:
c2e350e..b26ec67 master -> master
commit b26ec67

Pushed to 389-ds-base-1.3.4:
5165d58..4a3efc3 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 4a3efc3

Pushed to 389-ds-base-1.3.3:
c7ac0ad..2fecc39 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 2fecc39

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3.13

2 years ago

Metadata Update from @mreynolds:
- Custom field component reset
- Custom field reviewstatus adjusted to review (was: ack)
- Issue close_status updated to: None (was: Fixed)

2 years ago

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to ack (was: review)

2 years ago

cb7b499..ccfc3c3 master -> master
commit ccfc3c3
Author: Mark Reynolds mreynolds@redhat.com
Date: Mon Feb 20 21:48:57 2017 -0500

Login to comment on this ticket.

Metadata
Attachments 1