Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 231507 - rhds72 Modification of directory entries with VLV-indexed null-value attributes results in server crash
Summary: rhds72 Modification of directory entries with VLV-indexed null-value attribut...
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Database - Indexes/Searches
Version: 7.2
Hardware: All
OS: Linux
Target Milestone: DS8.0
: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-08 19:27 UTC by Marco Rhodes
Modified: 2018-10-19 22:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-05-06 14:41:04 UTC
Target Upstream Version:

Attachments (Terms of Use)
diffs (deleted)
2007-03-08 21:09 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (deleted)
2007-03-14 16:29 UTC, Rich Megginson
no flags Details

Description Marco Rhodes 2007-03-08 19:27:27 UTC
Description of problem:

The crash happens when you have a modify containing an attribute with some
values followed by an attribute with no values, and the attributes are one of
the attributes sorted on by the VLV search.  For example, when you create a
browsing index in the console, it creates a VLV index sorted first by cn, then
givenname, then o, then ou, then sn.  So if the entry you are modifying, prior
to the modify request, has a value for cn, but none for givenname, the server
will crash.

Comment 1 Rich Megginson 2007-03-08 21:09:24 UTC
Created attachment 149634 [details]

Comment 2 Noriko Hosoi 2007-03-08 21:16:53 UTC
Your fix looks good.

Comment 3 Rich Megginson 2007-03-14 16:29:02 UTC
Created attachment 150065 [details]
cvs commit log

Reviewed by: nkinder, nhosoi, prowley (Thanks!)
File: ldapserver/ldap/servers/slapd/back-ldbm/vlv.c
Fix Description: The value lowest_value is defined outside the loop that loops
through all the attributes in the vlv sort specification (e.g. usually
something like cn givenname o ou sn if defined by the console browsing index). 
lowest_value is not reset for each loop iteration.  So if it goes through the
loop one time for e.g. givenname, and givenname has values, lowest_value will
point to the lowest value of givenname until the key is created, then it is
freed.	So the next loop iteration uses o, and if for example o does not have
any values, lowest_value will point to the already freed memory used by the
givenname iteration, which is now garbage (e.g. the lowest_value->bv_len may be
very large, which is the probably cause of the malloc out of memory errors seen
by the customer).  The solution is to reset lowest_value to NULL before each
loop iteration (I did this by moving the declaration and initialization of
lowest_value inside the loop scope) and testing for lowest_value == NULL before
trying to use it.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

Comment 4 Rich Megginson 2007-03-14 16:36:58 UTC
Commited fix to HEAD.
Checking in vlv.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/vlv.c,v  <--  vlv.c
new revision: 1.13; previous revision: 1.12

Comment 5 Chandrasekar Kannan 2007-07-25 19:05:43 UTC
DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be
set to DS8.0. Will make further changes per bug council on 07/24/2007, after this.

Note You need to log in before you can comment on or make changes to this bug.