ldap/servers/slapd/connection.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
New commits:
commit 55106fe77d2c834b0ba866d440bb8ce08c1d01ff
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Wed Nov 9 13:05:39 2011 -0700
Bug 751645 - crash when simple paged fails to send entry to client
https://bugzilla.redhat.com/show_bug.cgi?id=751645
Resolves: bug 751645
Bug Description: crash when simple paged fails to send entry to client
Reviewed by: nkinder,nhosoi (Thanks!)
Branch: master
Fix Description: The crash happens when the server is sending back the paged
result entry responses to the client and there is a problem with the
connection e.g. the client closes the socket while the server is doing the
PR_Send/PR_Write on the client socket. If the reader thread in
connection_read_operation() sees the close first, it will call
disconnect_server() to disconnect the socket and cleanup the pagedresult
structure back_search_result_set in the Connection*. The problem with this
is that it leaves a dangling reference to the pagedresult structures in the
writer thread in ldbm_back_next_search_entry_ext. When that code sees the
error from the write, it will also attempt to free the search result, and
will get an invalid or double free error. The solution is to not do the
pagedresults_cleanup in disconnect_server(), but instead allow the writer
thread to do the cleanup safely. The connection_cleanup() function will
call pagedresults_cleanup() to avoid any memory leaks. The only thing the
disconnect_server() function needs to do is to reset the c_timelimit to
avoid the "slapd stops responding" and "simple paged results
timeout"
problems.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index b95759a..27e4fe1 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -2766,9 +2766,7 @@ disconnect_server_nomutex( Connection *conn, PRUint64 opconnid, int
opid, PRErro
conn->c_gettingber = 0;
connection_abandon_operations( conn );
-
- pagedresults_cleanup(conn, 0 /* already locked */); /* In case the connection is on
pagedresult.
- Better to call it after the op is abandened. */
+ conn->c_timelimit = 0; /* needed here to ensure simple paged results timeout properly
and don't impact subsequent ops */
if (! config_check_referral_mode()) {
/*