#48492 heap corruption at schema replication.
Closed: Fixed None Opened 3 years ago by nhosoi.

Seems that there's a corrupted syntaxinfo structure at replicating the schema Program terminated with signal 6, Aborted. #0 0x00007f0ce3e3e5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) bt #0 0x00007f0ce3e3e5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007f0ce3e3fce8 in __GI_abort () at abort.c:90 #2 0x00007f0ce3e7e317 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f0ce3f879c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196 #3 0x00007f0ce3e85fe1 in malloc_printerr ( ar_ptr=0x7f0ce41c3760 <main_arena>, ptr=<optimized out="">, str=0x7f0ce3f850b4 "free(): invalid pointer", action=3) at malloc.c:5013 #4 _int_free (av=0x7f0ce41c3760 <main_arena>, p=<optimized out="">, have_lock=0) at malloc.c:3835 #5 0x00007f0ce65fe9c6 in slapi_ch_free (ptr=0x7f0c80075b90) at ldap/servers/slapd/ch_malloc.c:292 #6 0x00007f0ce65fea35 in slapi_ch_free_string (s=<optimized out="">) at ldap/servers/slapd/ch_malloc.c:325 #7 0x00007f0ce65f9608 in attr_syntax_free (a=0x7f0c80075b90) at ldap/servers/slapd/attrsyntax.c:195 #8 0x00007f0ce666b6ba in schema_berval_to_atlist ( at_berval=at_berval@entry=0x7f0c80010580) at ldap/servers/slapd/schema.c:7192 #9 0x00007f0ce666cea3 in schema_attributetypes_superset_check ( remote_schema=remote_schema@entry=0x7f0c80010580, type=type@entry=0x7f0cdb6f63e5 "supplier") at ldap/servers/slapd/schema.c:7267 #10 0x00007f0cdb6b28a7 in update_consumer_schema ( conn=conn@entry=0x7f0ce86f6a30) at ldap/servers/plugins/replication/repl5_connection.c:1742 #11 0x00007f0cdb6b39a8 in conn_push_schema (conn=0x7f0ce86f6a30, remotecsn=remotecsn@entry=0x7f0c8f7fdc80) at ldap/servers/plugins/replication/repl5_connection.c:1823 #12 0x00007f0cdb6b5a77 in repl5_inc_run (prp=0x7f0ce86f9870) at ldap/servers/plugins/replication/repl5_inc_protocol.c:973 #13 0x00007f0cdb6bba3c in prot_thread_main (arg=0x7f0ce86a7230) at ldap/servers/plugins/replication/repl5_protocol.c:267 #14 0x00007f0ce48307bb in _pt_root (arg=0x7f0ce87037a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 #15 0x00007f0ce41d1dc5 in start_thread (arg=0x7f0c8f7fe700) at pthread_create.c:308 #16 0x00007f0ce3eff21d in clone () The problem seems to be when parsing the remote schema rc = parse_at_str(at_berval[i]->bv_val, &at, errorbuf, sizeof (errorbuf), DSE_SCHEMA_NO_CHECK | DSE_SCHEMA_USE_PRIV_SCHEMA, 0, schema_ds4x_compat, 0); if(rc){ attr_syntax_free(at); break; } The structure at_berval seems to be right in the core: (gdb) print at_berval[859]->bv_val $28 = 0x7f0c80073950 "( 2.16.840.1.113730.3.1.612 NAME 'generation' DESC 'Netscape defined attribute type' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' X-ORIGIN 'Netscape Directory Server' )" (gdb) print at_berval[859] $29 = (struct berval *) 0x7f0c80073a00 (gdb) print at_berval[860] $30 = (struct berval *) 0x0 so, it seems as if while parsing it to get the attribute syntaxes, something is not going on fine. Or the heap corruption could be former to that ?

As seen in the report, SYNTAX OID value is in single quotes, which is not valid and no longer supported.
(gdb) print at_berval[859]->bv_val
$28 = 0x7f0c80073950 "( 2.16.840.1.113730.3.1.612 NAME 'generation' DESC 'Netscape defined attribute type' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' X-ORIGIN 'Netscape Directory Server' )"

But the server should not crash.

Instead of LDAPDebug1Arg which gets compiled out, can we use one of the slapi_log_error functions?

Otherwise a visual check looks good to me.

Replying to [comment:3 firstyear]:

Instead of LDAPDebug1Arg which gets compiled out, can we use one of the slapi_log_error functions?

Otherwise a visual check looks good to me.
Thank you for reviewing the patch. I'm curious. Are there any particular reason why we'd better call slapi_log_error? It is a macro of "slapd_log_error_proc( NULL, fmt, arg );" We are using lots of LDAPDebug*. Are they to be replaced eventually?

git patch file (master) -- replaced LDAPDebug macro with slapi_log_error
0001-Ticket-48492-heap-corruption-at-schema-replication.patch

Reviewed by William and Mark (Thanks!!)

Pushed to master:
75b545a..b5bfa2a master -> master
commit b5bfa2a

Pushed to 389-ds-base-1.3.4:
099883c..9bd53c2 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 9bd53c2

(In reply to German Parente from comment #49)

It's enough to use a particular custom schema and enable:

nsslapd-enquote-sup-oc: on

I will give more details later today.

Indeed, the schema code is adding the single quotes if the config param is on.
{{{
slap.h:#define CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE "nsslapd-enquote-sup-oc"
outp += put_tagged_oid( outp, "SYNTAX ", syntaxoid, syntaxlengthbuf,
aew->enquote_sup_oc );
}}}
The case needs to be covered, as well.

I haven't run this code, but visually it looks okay.

git patch file (master) -- additinal fixes for the crash and better nsslapd-enquote-sup-oc support
0001-Ticket-48492-heap-corruption-at-schema-replication.2.patch

Some minimal testing done, looks good to me.

Reviewed by William (Thank you!!)

Pushed to master:
6186290..955dc66 master -> master
commit 955dc66

Pushed to 389-ds-base-1.3.4:
957dfe1..7927e44 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 7927e44

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.4.10

2 years ago

Login to comment on this ticket.

Metadata