#48492 heap corruption at schema replication.
Closed: wontfix None Opened 5 years ago by nhosoi.

Seems that there's a corrupted syntaxinfo structure at replicating the schema Program terminated with signal 6, Aborted. #0 0x00007f0ce3e3e5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) bt #0 0x00007f0ce3e3e5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007f0ce3e3fce8 in __GI_abort () at abort.c:90 #2 0x00007f0ce3e7e317 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f0ce3f879c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196 #3 0x00007f0ce3e85fe1 in malloc_printerr ( ar_ptr=0x7f0ce41c3760 <main_arena>, ptr=<optimized out>, str=0x7f0ce3f850b4 "free(): invalid pointer", action=3) at malloc.c:5013 #4 _int_free (av=0x7f0ce41c3760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3835 #5 0x00007f0ce65fe9c6 in slapi_ch_free (ptr=0x7f0c80075b90) at ldap/servers/slapd/ch_malloc.c:292 #6 0x00007f0ce65fea35 in slapi_ch_free_string (s=<optimized out>) at ldap/servers/slapd/ch_malloc.c:325 #7 0x00007f0ce65f9608 in attr_syntax_free (a=0x7f0c80075b90) at ldap/servers/slapd/attrsyntax.c:195 #8 0x00007f0ce666b6ba in schema_berval_to_atlist ( at_berval=at_berval@entry=0x7f0c80010580) at ldap/servers/slapd/schema.c:7192 #9 0x00007f0ce666cea3 in schema_attributetypes_superset_check ( remote_schema=remote_schema@entry=0x7f0c80010580, type=type@entry=0x7f0cdb6f63e5 "supplier") at ldap/servers/slapd/schema.c:7267 #10 0x00007f0cdb6b28a7 in update_consumer_schema ( conn=conn@entry=0x7f0ce86f6a30) at ldap/servers/plugins/replication/repl5_connection.c:1742 #11 0x00007f0cdb6b39a8 in conn_push_schema (conn=0x7f0ce86f6a30, remotecsn=remotecsn@entry=0x7f0c8f7fdc80) at ldap/servers/plugins/replication/repl5_connection.c:1823 #12 0x00007f0cdb6b5a77 in repl5_inc_run (prp=0x7f0ce86f9870) at ldap/servers/plugins/replication/repl5_inc_protocol.c:973 #13 0x00007f0cdb6bba3c in prot_thread_main (arg=0x7f0ce86a7230) at ldap/servers/plugins/replication/repl5_protocol.c:267 #14 0x00007f0ce48307bb in _pt_root (arg=0x7f0ce87037a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 #15 0x00007f0ce41d1dc5 in start_thread (arg=0x7f0c8f7fe700) at pthread_create.c:308 #16 0x00007f0ce3eff21d in clone () The problem seems to be when parsing the remote schema rc = parse_at_str(at_berval[i]->bv_val, &at, errorbuf, sizeof (errorbuf), DSE_SCHEMA_NO_CHECK | DSE_SCHEMA_USE_PRIV_SCHEMA, 0, schema_ds4x_compat, 0); if(rc){ attr_syntax_free(at); break; } The structure at_berval seems to be right in the core: (gdb) print at_berval[859]->bv_val $28 = 0x7f0c80073950 "( 2.16.840.1.113730.3.1.612 NAME 'generation' DESC 'Netscape defined attribute type' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' X-ORIGIN 'Netscape Directory Server' )" (gdb) print at_berval[859] $29 = (struct berval *) 0x7f0c80073a00 (gdb) print at_berval[860] $30 = (struct berval *) 0x0 so, it seems as if while parsing it to get the attribute syntaxes, something is not going on fine. Or the heap corruption could be former to that ?

As seen in the report, SYNTAX OID value is in single quotes, which is not valid and no longer supported.
(gdb) print at_berval[859]->bv_val
$28 = 0x7f0c80073950 "( 2.16.840.1.113730.3.1.612 NAME 'generation' DESC 'Netscape defined attribute type' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' X-ORIGIN 'Netscape Directory Server' )"

But the server should not crash.

Instead of LDAPDebug1Arg which gets compiled out, can we use one of the slapi_log_error functions?

Otherwise a visual check looks good to me.

Replying to [comment:3 firstyear]:

Instead of LDAPDebug1Arg which gets compiled out, can we use one of the slapi_log_error functions?

Otherwise a visual check looks good to me.
Thank you for reviewing the patch. I'm curious. Are there any particular reason why we'd better call slapi_log_error? It is a macro of "slapd_log_error_proc( NULL, fmt, arg );" We are using lots of LDAPDebug*. Are they to be replaced eventually?

git patch file (master) -- replaced LDAPDebug macro with slapi_log_error
0001-Ticket-48492-heap-corruption-at-schema-replication.patch

Reviewed by William and Mark (Thanks!!)

Pushed to master:
75b545a..b5bfa2a master -> master
commit b5bfa2a

Pushed to 389-ds-base-1.3.4:
099883c..9bd53c2 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 9bd53c2

(In reply to German Parente from comment #49)

It's enough to use a particular custom schema and enable:

nsslapd-enquote-sup-oc: on

I will give more details later today.

Indeed, the schema code is adding the single quotes if the config param is on.
{{{
slap.h:#define CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE "nsslapd-enquote-sup-oc"
outp += put_tagged_oid( outp, "SYNTAX ", syntaxoid, syntaxlengthbuf,
aew->enquote_sup_oc );
}}}
The case needs to be covered, as well.

I haven't run this code, but visually it looks okay.

git patch file (master) -- additinal fixes for the crash and better nsslapd-enquote-sup-oc support
0001-Ticket-48492-heap-corruption-at-schema-replication.2.patch

Some minimal testing done, looks good to me.

Reviewed by William (Thank you!!)

Pushed to master:
6186290..955dc66 master -> master
commit 955dc66

Pushed to 389-ds-base-1.3.4:
957dfe1..7927e44 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 7927e44

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.4.10

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1774

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

a year ago

Login to comment on this ticket.

Metadata