[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Wed Jun 24 10:16:12 UTC 2015
VERSION.sh | 2
debian/changelog | 7
dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py | 7
dirsrvtests/tickets/ticket47553_rdn_write_test.py | 9
dirsrvtests/tickets/ticket47828_test.py | 1
ldap/servers/plugins/replication/repl5.h | 4
ldap/servers/plugins/replication/repl5_agmtlist.c | 54 +++
ldap/servers/plugins/replication/repl5_replica_config.c | 189 ++++++-----
ldap/servers/slapd/abandon.c | 10
ldap/servers/slapd/back-ldbm/dblayer.c | 7
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 19 +
ldap/servers/slapd/back-ldbm/ldbm_instance_config.c | 6
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 11
ldap/servers/slapd/back-ldbm/ldbm_search.c | 13
ldap/servers/slapd/bind.c | 3
ldap/servers/slapd/opshared.c | 215 ++++++-------
ldap/servers/slapd/pagedresults.c | 177 ++++++----
ldap/servers/slapd/plugin.c | 13
ldap/servers/slapd/plugin_syntax.c | 11
ldap/servers/slapd/proto-slap.h | 4
ldap/servers/slapd/result.c | 32 +
ldap/servers/slapd/ssl.c | 97 +++--
22 files changed, 540 insertions(+), 351 deletions(-)
New commits:
commit 1f6a9dbf6040df6b8a1c4c7d6fdca1ca4d97d443
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Jun 24 11:48:07 2015 +0300
releasing package 389-ds-base version 1.3.3.12-1
diff --git a/debian/changelog b/debian/changelog
index 8e3d974..fd0c9ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,9 @@
-389-ds-base (1.3.3.12-1) UNRELEASED; urgency=medium
+389-ds-base (1.3.3.12-1) unstable; urgency=medium
* New upstream release
- fix CVE-2015-3230 (Closes: #789202)
- -- Timo Aaltonen <tjaalton at debian.org> Wed, 24 Jun 2015 11:33:56 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 24 Jun 2015 11:47:50 +0300
389-ds-base (1.3.3.10-1) unstable; urgency=medium
commit 63a07403c58cb156ff854c8c260f5a9fa51cb104
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Jun 24 11:45:23 2015 +0300
update the changelog
diff --git a/debian/changelog b/debian/changelog
index 5d6f65f..8e3d974 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+389-ds-base (1.3.3.12-1) UNRELEASED; urgency=medium
+
+ * New upstream release
+ - fix CVE-2015-3230 (Closes: #789202)
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 24 Jun 2015 11:33:56 +0300
+
389-ds-base (1.3.3.10-1) unstable; urgency=medium
* New upstream release
commit 0baa5a1f54d3d241f3b802db99cb42b455959e56
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Jun 17 12:33:18 2015 -0700
bump version to 1.3.3.12
diff --git a/VERSION.sh b/VERSION.sh
index 22d9654..5ab6022 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=3.11
+VERSION_MAINT=3.12
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 99109e38ca671951c50724018fce71e2e362f0ff
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Jun 11 22:25:14 2015 -0700
Ticket #48194 - nsSSL3Ciphers preference not enforced server side
Description: The fix for ticket 47838 accidentally changed the timing
of setting default cipher preferences and creating a sslSocket which
broke setting the default preferences to each sslSocket.
https://fedorahosted.org/389/ticket/48194
Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
(cherry picked from commit 53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c)
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 67d01cd..198edbc 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1342,9 +1342,6 @@ slapd_ssl_init()
freeConfigEntry( &entry );
}
- /* ugaston- Cipher preferences must be set before any sslSocket is created
- * for such sockets to take preferences into account.
- */
freeConfigEntry( &entry );
/* Introduce a way of knowing whether slapd_ssl_init has
@@ -1590,6 +1587,45 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
errorbuf[0] = '\0';
+ /*
+ * Cipher preferences must be set before any sslSocket is created
+ * for such sockets to take preferences into account.
+ */
+ getConfigEntry(configDN, &e);
+ if (e == NULL) {
+ slapd_SSL_warn("Security Initialization: Failed get config entry %s", configDN);
+ return 1;
+ }
+ val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
+ if (val) {
+ if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
+ allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
+ } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
+ !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
+ allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
+ } else {
+ slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
+ "Ignoring it and set it to default.", val, configDN);
+ }
+ }
+ slapi_ch_free((void **) &val);
+
+ /* Set SSL cipher preferences */
+ *cipher_string = 0;
+ if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
+ PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
+ slapi_ch_free((void **) &ciphers);
+
+ if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
+ "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ val, errorCode, slapd_pr_strerror(errorCode));
+ slapi_ch_free((void **) &val);
+ }
+ freeConfigEntry(&e);
+
/* Import pr fd into SSL */
pr_sock = SSL_ImportFD( NULL, sock );
if( pr_sock == (PRFileDesc *)NULL ) {
@@ -1632,8 +1668,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
slapd_pk11_setSlotPWValues(slot, 0, 0);
}
-
-
/*
* Now, get the complete list of cipher families. Each family
* has a token name and personality name which we'll use to find
@@ -1816,9 +1850,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
"out of disk space! Make more room in /tmp "
"and try again. (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
errorCode, slapd_pr_strerror(errorCode));
- }
- else {
- slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
+ } else {
+ slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
errorCode, slapd_pr_strerror(errorCode));
}
return rv;
@@ -1985,36 +2018,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
}
#endif
- val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
- if (val) {
- if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
- !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
- allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
- } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
- !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
- allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
- } else {
- slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
- "Ignoring it and set it to default.", val, configDN);
- }
- }
- slapi_ch_free((void **) &val);
-
- /* Set SSL cipher preferences */
- *cipher_string = 0;
- if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
- PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
- slapi_ch_free((void **) &ciphers);
-
- if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
- "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- val, errorCode, slapd_pr_strerror(errorCode));
- rv = 3;
- slapi_ch_free((void **) &val);
- }
-
freeConfigEntry( &e );
if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
@@ -2059,17 +2062,17 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
/* richm 20020227
To do LDAP client SSL init, we need to do
- static void
- ldapssl_basic_init( void )
- {
- PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
+ static void
+ ldapssl_basic_init( void )
+ {
+ PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
- PR_SetConcurrency( 4 );
- }
+ PR_SetConcurrency( 4 );
+ }
NSS_Init(certdbpath);
SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE);
- SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
- s = NSS_SetDomesticPolicy();
+ SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
+ s = NSS_SetDomesticPolicy();
We already do pr_init, we don't need pr_setconcurrency, we already do nss_init and the rest
*/
@@ -2095,7 +2098,7 @@ slapd_SSL_client_auth (LDAP* ld)
char **family;
char *personality = NULL;
char *activation = NULL;
- char *cipher = NULL;
+ char *cipher = NULL;
for (family = family_list; *family; family++) {
getConfigEntry( *family, &entry );
commit 18f3e3ab3ca6bdea16c894a106510e51d3c17fcc
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Jun 10 11:01:50 2015 -0700
bump version to 1.3.3.11
diff --git a/VERSION.sh b/VERSION.sh
index 71c5369..22d9654 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=3.9
+VERSION_MAINT=3.11
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 798eae4f2240a5b47963a2bb09a2a17acfc488ec
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Jun 9 10:02:02 2015 -0700
Ticket #48192 - Individual abandoned simple paged results request has no chance to be cleaned up
Description: When a simple paged results is abandoned immediately and
asynchronously just after the request, the abandon request has a chance
to be handled before the simple paged results control is received and
processed. In the case, the search could be executed and the search
result structure could be leaked.
This patch adds more abandon checks. In op_shared_search, after the
send_results_ext call, if the SLAPI_OP_STATUS_ABANDONED bit is set in
the status in the operation object, it cleans up the search results
again, which gives the second chance.
https://fedorahosted.org/389/ticket/48192
Reviewed by tbordaz at redhat.com (Thank you so much, Thierry!!)
(cherry picked from commit 1d18dd0107d48ac1d79f7c9988adf18b0905bbdb)
diff --git a/ldap/servers/slapd/abandon.c b/ldap/servers/slapd/abandon.c
index 43158a8..9797f7c 100644
--- a/ldap/servers/slapd/abandon.c
+++ b/ldap/servers/slapd/abandon.c
@@ -132,8 +132,7 @@ do_abandon( Slapi_PBlock *pb )
}
operation_set_abandoned_op (pb->pb_op, o->o_abandoned_op);
- if ( plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_ABANDON_FN )
- == 0 ) {
+ if ( plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_ABANDON_FN ) == 0 ) {
int rc = 0;
if ( o->o_status != SLAPI_OP_STATUS_RESULT_SENT ) {
@@ -148,14 +147,13 @@ do_abandon( Slapi_PBlock *pb )
suppressed_by_plugin = 1;
}
} else {
- LDAPDebug( LDAP_DEBUG_TRACE, "do_abandon: op not found\n", 0, 0,
- 0 );
+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "do_abandon: op not found\n");
}
if ( 0 == pagedresults_free_one_msgid_nolock(pb->pb_conn, id) ) {
slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64
- " op=%d ABANDON targetop=Simple Paged Results\n",
- pb->pb_conn->c_connid, pb->pb_op->o_opid );
+ " op=%d ABANDON targetop=Simple Paged Results msgid=%d\n",
+ pb->pb_conn->c_connid, pb->pb_op->o_opid, id );
} else if ( NULL == o ) {
slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ABANDON"
" targetop=NOTFOUND msgid=%d\n",
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index fe0a6ca..ae0eef5 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -1836,12 +1836,21 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
}
}
}
+ /* check for the final abandon */
+ if (slapi_op_abandoned(pb)) {
+ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET_SIZE_ESTIMATE, &estimate );
+ if ( use_extension ) {
+ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, NULL );
+ }
+ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY, NULL );
+ delete_search_result_set(pb, &sr);
+ rc = SLAPI_FAIL_GENERAL;
+ }
bail:
- if(rc){
+ if (rc && op) {
op->o_reverse_search_state = 0;
}
-
return rc;
}
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index 1623fb0..9a5a141 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -748,7 +748,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
pagedresults_unlock(pb->pb_conn, pr_idx);
if (next_be) {
/* no more entries, but at least another backend */
- if (pagedresults_set_current_be(pb->pb_conn, next_be, pr_idx) < 0) {
+ if (pagedresults_set_current_be(pb->pb_conn, next_be, pr_idx, 0) < 0) {
goto free_and_return;
}
}
@@ -878,23 +878,23 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
curr_search_count = pnentries;
slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_SET, &sr);
if (PAGEDRESULTS_SEARCH_END == pr_stat) {
- if (sr) { /* in case a left over sr is found, clean it up */
- pagedresults_free_one(pb->pb_conn, operation, pr_idx);
- }
+ /* no more entries, but at least another backend */
+ PR_Lock(pb->pb_conn->c_mutex);
+ pagedresults_set_search_result(pb->pb_conn, operation, NULL, 1, pr_idx);
+ be->be_search_results_release(&sr);
+ rc = pagedresults_set_current_be(pb->pb_conn, next_be, pr_idx, 1);
+ PR_Unlock(pb->pb_conn->c_mutex);
if (NULL == next_be) {
- /* no more entries && no more backends */
- curr_search_count = -1;
- } else {
- /* no more entries, but at least another backend */
- if (pagedresults_set_current_be(pb->pb_conn, next_be, pr_idx) < 0) {
+ /* no more entries && no more backends */
+ curr_search_count = -1;
+ } else if (rc < 0) {
goto free_and_return;
- }
}
} else {
curr_search_count = pnentries;
slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_SET_SIZE_ESTIMATE, &estimate);
pagedresults_lock(pb->pb_conn, pr_idx);
- if ((pagedresults_set_current_be(pb->pb_conn, be, pr_idx) < 0) ||
+ if ((pagedresults_set_current_be(pb->pb_conn, be, pr_idx, 0) < 0) ||
(pagedresults_set_search_result(pb->pb_conn, operation, sr, 0, pr_idx) < 0) ||
(pagedresults_set_search_result_count(pb->pb_conn, operation, curr_search_count, pr_idx) < 0) ||
(pagedresults_set_search_result_set_size_estimate(pb->pb_conn, operation, estimate, pr_idx) < 0) ||
@@ -904,10 +904,20 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
}
pagedresults_unlock(pb->pb_conn, pr_idx);
}
- pagedresults_set_response_control(pb, 0, estimate,
- curr_search_count, pr_idx);
slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET, NULL );
next_be = NULL; /* to break the loop */
+ if (operation->o_status & SLAPI_OP_STATUS_ABANDONED) {
+ /* It turned out this search was abandoned. */
+ PR_Lock(pb->pb_conn->c_mutex);
+ pagedresults_free_one_msgid_nolock( pb->pb_conn, operation->o_msgid);
+ PR_Unlock(pb->pb_conn->c_mutex);
+ /* paged-results-request was abandoned; making an empty cookie. */
+ pagedresults_set_response_control(pb, 0, estimate, -1, pr_idx);
+ send_ldap_result(pb, 0, NULL, "Simple Paged Results Search abandoned", 0, NULL);
+ rc = LDAP_SUCCESS;
+ goto free_and_return;
+ }
+ pagedresults_set_response_control(pb, 0, estimate, curr_search_count, pr_idx);
if (curr_search_count == -1) {
pagedresults_free_one(pb->pb_conn, operation, pr_idx);
}
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 2e70e19..a7fe2cd 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -87,6 +87,8 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
Operation *op = pb->pb_op;
BerElement *ber = NULL;
PagedResults *prp = NULL;
+ time_t ctime = current_time();
+ int i;
LDAPDebug0Args(LDAP_DEBUG_TRACE, "--> pagedresults_parse_control_value\n");
if ( NULL == conn || NULL == op || NULL == pagesize || NULL == index ) {
@@ -121,7 +123,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
/* the ber encoding is no longer needed */
ber_free(ber, 1);
if ( cookie.bv_len <= 0 ) {
- int i;
/* first time? */
int maxlen = conn->c_pagedresults.prl_maxlen;
if (conn->c_pagedresults.prl_count == maxlen) {
@@ -138,15 +139,16 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
memset(conn->c_pagedresults.prl_list + maxlen, '\0', sizeof(PagedResults) * maxlen);
}
*index = maxlen; /* the first position in the new area */
+ prp = conn->c_pagedresults.prl_list + *index;
+ prp->pr_current_be = be;
} else {
- time_t ctime = current_time();
prp = conn->c_pagedresults.prl_list;
for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++, prp++) {
if (!prp->pr_current_be) { /* unused slot; take it */
prp->pr_current_be = be;
*index = i;
break;
- } else if (((prp->pr_timelimit > 0) && (ctime < prp->pr_timelimit)) || /* timelimit exceeded */
+ } else if (((prp->pr_timelimit > 0) && (ctime > prp->pr_timelimit)) || /* timelimit exceeded */
(prp->pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED) /* abandoned */) {
_pr_cleanup_one_slot(prp);
conn->c_pagedresults.prl_count--;
@@ -155,15 +157,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
break;
}
}
- /* cleaning up the rest of the timedout if any */
- for (++i; i < conn->c_pagedresults.prl_maxlen; i++, prp++) {
- if (prp->pr_current_be &&
- (((prp->pr_timelimit > 0) && (ctime < prp->pr_timelimit)) || /* timelimit exceeded */
- (prp->pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED)) /* abandoned */) {
- _pr_cleanup_one_slot(prp);
- conn->c_pagedresults.prl_count--;
- }
- }
}
if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
!conn->c_pagedresults.prl_list[*index].pr_mutex) {
@@ -181,8 +174,8 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
if ((conn->c_pagedresults.prl_maxlen <= *index) || (*index < 0)){
rc = LDAP_PROTOCOL_ERROR;
LDAPDebug1Arg(LDAP_DEBUG_ANY,
- "pagedresults_parse_control_value: invalid cookie: %d\n",
- *index);
+ "pagedresults_parse_control_value: invalid cookie: %d\n", *index);
+ *index = -1; /* index is invalid. reinitializing it. */
goto bail;
}
prp = conn->c_pagedresults.prl_list + *index;
@@ -206,11 +199,24 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
} else {
rc = LDAP_PROTOCOL_ERROR;
- LDAPDebug1Arg(LDAP_DEBUG_ANY,
- "pagedresults_parse_control_value: invalid cookie: %d\n",
- *index);
+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "pagedresults_parse_control_value: invalid cookie: %d\n", *index);
}
bail:
+ /* cleaning up the rest of the timedout or abandoned if any */
+ prp = conn->c_pagedresults.prl_list;
+ for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++, prp++) {
+ if (prp->pr_current_be &&
+ (((prp->pr_timelimit > 0) && (ctime > prp->pr_timelimit)) || /* timelimit exceeded */
+ (prp->pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED)) /* abandoned */) {
+ _pr_cleanup_one_slot(prp);
+ conn->c_pagedresults.prl_count--;
+ if (i == *index) {
+ /* registered slot is expired and cleaned up. return cancelled. */
+ *index = -1;
+ rc = LDAP_CANCELLED;
+ }
+ }
+ }
PR_Unlock(conn->c_mutex);
LDAPDebug1Arg(LDAP_DEBUG_TRACE,
@@ -326,7 +332,9 @@ pagedresults_free_one( Connection *conn, Operation *op, int index )
return rc;
}
-/* Used for abandoning */
+/*
+ * Used for abandoning - conn->c_mutex is already locked in do_abandone.
+ */
int
pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
{
@@ -334,7 +342,7 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
int i;
if (conn && (msgid > -1)) {
- if (conn->c_pagedresults.prl_count <= 0) {
+ if (conn->c_pagedresults.prl_maxlen <= 0) {
; /* Not a paged result. */
} else {
LDAPDebug1Arg(LDAP_DEBUG_TRACE,
@@ -381,18 +389,18 @@ pagedresults_get_current_be(Connection *conn, int index)
}
int
-pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index)
+pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index, int nolock)
{
int rc = -1;
LDAPDebug1Arg(LDAP_DEBUG_TRACE,
"--> pagedresults_set_current_be: idx=%d\n", index);
if (conn && (index > -1)) {
- PR_Lock(conn->c_mutex);
+ if (!nolock) PR_Lock(conn->c_mutex);
if (index < conn->c_pagedresults.prl_maxlen) {
conn->c_pagedresults.prl_list[index].pr_current_be = be;
}
- PR_Unlock(conn->c_mutex);
rc = 0;
+ if (!nolock) PR_Unlock(conn->c_mutex);
}
LDAPDebug1Arg(LDAP_DEBUG_TRACE,
"<-- pagedresults_set_current_be: %d\n", rc);
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index a4c6b58..3f88f55 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1481,7 +1481,7 @@ void pagedresults_set_response_control(Slapi_PBlock *pb, int iscritical,
ber_int_t estimate,
int curr_search_count, int index);
Slapi_Backend *pagedresults_get_current_be(Connection *conn, int index);
-int pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index);
+int pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index, int nolock);
void *pagedresults_get_search_result(Connection *conn, Operation *op,
int index);
int pagedresults_set_search_result(Connection *conn, Operation *op, void *sr,
commit 7718eb6a6714d1a284c3c706e621a7eb0ca5655a
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Fri Jun 5 10:13:17 2015 -0700
Ticket #48192 - Individual abandoned simple paged results request has no chance to be cleaned up
Description: Checking the cookie value passed by the client was not
sufficient. The negative value check was missing, which lead to
the simple paged results array out of bounds. Plus, a minor memory
leak was fixed. Thanks to Thierry Bordaz for his reviews!
https://fedorahosted.org/389/ticket/48192
(cherry picked from commit 298371d372678cf553594ae73ae57a6ea35358bf)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 402dd10..2e70e19 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -177,14 +177,14 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
memcpy(ptr, cookie.bv_val, cookie.bv_len);
*(ptr+cookie.bv_len) = '\0';
*index = strtol(ptr, NULL, 10);
- if (conn->c_pagedresults.prl_maxlen <= *index) {
+ slapi_ch_free_string(&ptr);
+ if ((conn->c_pagedresults.prl_maxlen <= *index) || (*index < 0)){
rc = LDAP_PROTOCOL_ERROR;
LDAPDebug1Arg(LDAP_DEBUG_ANY,
"pagedresults_parse_control_value: invalid cookie: %d\n",
*index);
goto bail;
}
- slapi_ch_free_string(&ptr);
prp = conn->c_pagedresults.prl_list + *index;
if (!(prp->pr_search_result_set)) { /* freed and reused for the next backend. */
conn->c_pagedresults.prl_count++;
commit 97c707df4e11936202310e99bcf5f45d15b49f0f
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Jun 4 16:27:05 2015 -0700
Ticket #48192 - Individual abandoned simple paged results request has no chance to be cleaned up
Description: When allocating a slot in simple paged results array stashed
in a connection in pagedresults_parse_control_value, a new code is added
to scan the array if the existing slot is timed out or not. If it is, the
slot is released and a search results is released if it is attached.
Also, if a request is abandoned, instead of returning a valid cookie, it
changed to return an empty cookie to inform the client the request was not
successfully completed.
https://fedorahosted.org/389/ticket/48192
Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
(cherry picked from commit f3c3125fc9fd4dc1cbd41027d6442cb525efd014)
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index fa88053..1623fb0 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -517,8 +517,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
rc = pagedresults_parse_control_value(pb, ctl_value, &pagesize, &pr_idx, be);
/* Let's set pr_idx even if it fails; in case, pr_idx == -1. */
slapi_pblock_set(pb, SLAPI_PAGED_RESULTS_INDEX, &pr_idx);
- if ((LDAP_SUCCESS == rc) ||
- (LDAP_CANCELLED == rc) || (0 == pagesize)) {
+ if ((LDAP_SUCCESS == rc) || (LDAP_CANCELLED == rc) || (0 == pagesize)) {
unsigned int opnote = SLAPI_OP_NOTE_SIMPLEPAGED;
op_set_pagedresults(operation);
pr_be = pagedresults_get_current_be(pb->pb_conn, pr_idx);
@@ -545,9 +544,8 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
}
slapi_pblock_set( pb, SLAPI_OPERATION_NOTES, &opnote );
if ((LDAP_CANCELLED == rc) || (0 == pagesize)) {
- /* paged-results-request was abandoned */
- pagedresults_set_response_control(pb, 0, estimate,
- curr_search_count, pr_idx);
+ /* paged-results-request was abandoned; making an empty cookie. */
+ pagedresults_set_response_control(pb, 0, estimate, -1, pr_idx);
send_ldap_result(pb, 0, NULL,
"Simple Paged Results Search abandoned",
0, NULL);
@@ -574,10 +572,21 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
/* adjust time and size limits */
compute_limits (pb);
-
- /* call the pre-search plugins. if they succeed, call the backend
- search function. then call the post-search plugins. */
+ /* set the timelimit to clean up the too-long-lived-paged results requests */
+ if (op_is_pagedresults(operation)) {
+ time_t optime, time_up;
+ int tlimit;
+ slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &tlimit );
+ slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+ time_up = (tlimit==-1 ? -1 : optime + tlimit); /* -1: no time limit */
+ pagedresults_set_timelimit(pb->pb_conn, pb->pb_op, time_up, pr_idx);
+ }
+
+ /*
+ * call the pre-search plugins. if they succeed, call the backend
+ * search function. then call the post-search plugins.
+ */
/* ONREPL - should regular plugin be called for internal searches ? */
if (plugin_call_plugins(pb, SLAPI_PLUGIN_PRE_SEARCH_FN) == 0)
{
@@ -642,16 +651,6 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
}
}
- /* set the timelimit to clean up the too-long-lived-paged results requests */
- if (op_is_pagedresults(operation)) {
- time_t optime, time_up;
- int tlimit;
- slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &tlimit );
- slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
- time_up = (tlimit==-1 ? -1 : optime + tlimit); /* -1: no time limit */
- pagedresults_set_timelimit(pb->pb_conn, pb->pb_op, time_up, pr_idx);
- }
-
/* PAR: now filters have been rewritten, we can assign plugins to work on them */
index_subsys_assign_filter_decoders(pb);
@@ -880,10 +879,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_SET, &sr);
if (PAGEDRESULTS_SEARCH_END == pr_stat) {
if (sr) { /* in case a left over sr is found, clean it up */
- PR_Lock(pb->pb_conn->c_mutex);
- pagedresults_set_search_result(pb->pb_conn, operation, NULL, 1, pr_idx);
- be->be_search_results_release(&sr);
- PR_Unlock(pb->pb_conn->c_mutex);
+ pagedresults_free_one(pb->pb_conn, operation, pr_idx);
}
if (NULL == next_be) {
/* no more entries && no more backends */
@@ -1306,7 +1302,6 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result,
operation_out_of_disk_space();
}
pr_stat = PAGEDRESULTS_SEARCH_END;
- pagedresults_set_timelimit(pb->pb_conn, pb->pb_op, 0, pr_idx);
rval = -1;
done = 1;
continue;
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 327da54..402dd10 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -41,6 +41,27 @@
#include "slap.h"
+/* helper function to clean up one prp slot */
+static void
+_pr_cleanup_one_slot(PagedResults *prp)
+{
+ PRLock *prmutex = NULL;
+ if (!prp) {
+ return;
+ }
+ if (prp->pr_current_be && prp->pr_current_be->be_search_results_release) {
+ /* sr is left; release it. */
+ prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+ }
+ /* clean up the slot */
+ if (prp->pr_mutex) {
+ /* pr_mutex is reused; back it up and reset it. */
+ prmutex = prp->pr_mutex;
+ }
+ memset(prp, '\0', sizeof(PagedResults));
+ prp->pr_mutex = prmutex;
+}
+
/*
* Parse the value from an LDAPv3 "Simple Paged Results" control. They look
* like this:
@@ -65,6 +86,7 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
Connection *conn = pb->pb_conn;
Operation *op = pb->pb_op;
BerElement *ber = NULL;
+ PagedResults *prp = NULL;
LDAPDebug0Args(LDAP_DEBUG_TRACE, "--> pagedresults_parse_control_value\n");
if ( NULL == conn || NULL == op || NULL == pagesize || NULL == index ) {
@@ -117,13 +139,31 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
*index = maxlen; /* the first position in the new area */
} else {
- for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
- if (!conn->c_pagedresults.prl_list[i].pr_current_be) {
- conn->c_pagedresults.prl_list[i].pr_current_be = be;
+ time_t ctime = current_time();
+ prp = conn->c_pagedresults.prl_list;
+ for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++, prp++) {
+ if (!prp->pr_current_be) { /* unused slot; take it */
+ prp->pr_current_be = be;
+ *index = i;
+ break;
+ } else if (((prp->pr_timelimit > 0) && (ctime < prp->pr_timelimit)) || /* timelimit exceeded */
+ (prp->pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED) /* abandoned */) {
+ _pr_cleanup_one_slot(prp);
+ conn->c_pagedresults.prl_count--;
+ prp->pr_current_be = be;
*index = i;
break;
}
}
+ /* cleaning up the rest of the timedout if any */
+ for (++i; i < conn->c_pagedresults.prl_maxlen; i++, prp++) {
+ if (prp->pr_current_be &&
+ (((prp->pr_timelimit > 0) && (ctime < prp->pr_timelimit)) || /* timelimit exceeded */
+ (prp->pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED)) /* abandoned */) {
+ _pr_cleanup_one_slot(prp);
+ conn->c_pagedresults.prl_count--;
+ }
+ }
}
if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
!conn->c_pagedresults.prl_list[*index].pr_mutex) {
@@ -131,7 +171,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
conn->c_pagedresults.prl_count++;
} else {
- PagedResults *prp = NULL;
/* Repeated paged results request.
* PagedResults is already allocated. */
char *ptr = slapi_ch_malloc(cookie.bv_len + 1);
@@ -156,8 +195,10 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
slapi_ch_free((void **)&cookie.bv_val);
if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen)) {
- if (conn->c_pagedresults.prl_list[*index].pr_flags &
- CONN_FLAG_PAGEDRESULTS_ABANDONED) {
+ if (conn->c_pagedresults.prl_list[*index].pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED) {
+ /* repeated case? */
+ prp = conn->c_pagedresults.prl_list + *index;
+ _pr_cleanup_one_slot(prp);
rc = LDAP_CANCELLED;
} else {
/* Need to keep the latest msgid to prepare for the abandon. */
@@ -273,20 +314,8 @@ pagedresults_free_one( Connection *conn, Operation *op, int index )
"conn=%d paged requests list count is %d\n",
conn->c_connid, conn->c_pagedresults.prl_count);
} else if (index < conn->c_pagedresults.prl_maxlen) {
- PRLock *prmutex = NULL;
PagedResults *prp = conn->c_pagedresults.prl_list + index;
- if (prp && prp->pr_current_be &&
- prp->pr_current_be->be_search_results_release &&
- prp->pr_search_result_set) {
- prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
- }
- prp->pr_current_be = NULL;
- if (prp->pr_mutex) {
- /* pr_mutex is reused; back it up and reset it. */
- prmutex = prp->pr_mutex;
- }
- memset(prp, '\0', sizeof(PagedResults));
- prp->pr_mutex = prmutex;
+ _pr_cleanup_one_slot(prp);
conn->c_pagedresults.prl_count--;
rc = 0;
}
@@ -309,7 +338,7 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
; /* Not a paged result. */
} else {
LDAPDebug1Arg(LDAP_DEBUG_TRACE,
- "--> pagedresults_free_one: msgid=%d\n", msgid);
+ "--> pagedresults_free_one_msgid_nolock: msgid=%d\n", msgid);
for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
if (conn->c_pagedresults.prl_list[i].pr_msgid == msgid) {
PagedResults *prp = conn->c_pagedresults.prl_list + i;
@@ -318,16 +347,14 @@ pagedresults_free_one_msgid_nolock( Connection *conn, ber_int_t msgid )
prp->pr_search_result_set) {
prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
}
- prp->pr_current_be = NULL;
prp->pr_flags |= CONN_FLAG_PAGEDRESULTS_ABANDONED;
prp->pr_flags &= ~CONN_FLAG_PAGEDRESULTS_PROCESSING;
- conn->c_pagedresults.prl_count--;
rc = 0;
break;
}
}
LDAPDebug1Arg(LDAP_DEBUG_TRACE,
- "<-- pagedresults_free_one: %d\n", rc);
+ "<-- pagedresults_free_one_msgid_nolock: %d\n", rc);
}
}
@@ -845,37 +872,42 @@ pagedresults_reset_processing(Connection *conn, int index)
}
#endif
-/* Are all the paged results requests timed out? */
+/*
+ * This timedout is mainly for an end user leaves a commandline untouched
+ * for a long time. This should not affect a permanent connection which
+ * manages multiple simple paged results requests over the connection.
+ *
+ * [rule]
+ * If there is just one slot and it's timed out, we return it is timedout.
+ * If there are multiple slots, the connection may be a permanent one.
+ * Do not return timed out here. But let the next request take care the
+ * timedout slot(s).
+ */
int
pagedresults_is_timedout_nolock(Connection *conn)
{
- int i;
PagedResults *prp = NULL;
time_t ctime;
- int rc = 0;
LDAPDebug0Args(LDAP_DEBUG_TRACE, "--> pagedresults_is_timedout\n");
- if (NULL == conn || 0 == conn->c_pagedresults.prl_count) {
- LDAPDebug0Args(LDAP_DEBUG_TRACE, "<-- pagedresults_is_timedout: -\n");
- return rc;
+ if (!conn || (0 == conn->c_pagedresults.prl_maxlen)) {
+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "<-- pagedresults_is_timedout: false\n");
+ return 0;
}
ctime = current_time();
- for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
- prp = conn->c_pagedresults.prl_list + i;
+ prp = conn->c_pagedresults.prl_list;
+ if (prp && (1 == conn->c_pagedresults.prl_maxlen)) {
if (prp->pr_current_be && (prp->pr_timelimit > 0)) {
- if (ctime < prp->pr_timelimit) {
- LDAPDebug0Args(LDAP_DEBUG_TRACE,
- "<-- pagedresults_is_timedout: 0\n");
- return 0; /* at least, one request is not timed out. */
- } else {
- rc = 1; /* possibly timed out */
+ if (ctime > prp->pr_timelimit) {
+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "<-- pagedresults_is_timedout: true\n");
+ return 1;
}
}
}
- LDAPDebug0Args(LDAP_DEBUG_TRACE, "<-- pagedresults_is_timedout: 1\n");
- return rc; /* all requests are timed out. */
+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "<-- pagedresults_is_timedout: false\n");
+ return 0;
}
/* reset all timeout */
commit a805e25a576231c48250c0dc2d3325a90e2c4886
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Sun May 31 17:08:29 2015 -0700
Ticket #48190 - idm/ipa 389-ds-base entry cache converges to 500 KB in dblayer_is_cachesize_sane
Description: This issue was introduced by the fix for Ticket 47499
commit 1e035d1111f6abcb87e760a2b9e41fa9e05a7ebd.
The function dblayer_is_cachesize_sane was originally implemented for
db cache to check if the given db cache size is larger than the available
memory or not. The function resets the size to the available memory size
if it is larger. Also, considering the extra metadata size needed for the
db cache, it multiplies by 0.8 every time it starts the server. It is not
needed even for the db cache. The code is old and we don't have to save
the memory there. Thus, this patch removes the resetting code.
https://fedorahosted.org/389/ticket/48190
Reviewed by mreynolds at redhat.com (Thank you, Mark!!)
(cherry picked from commit bf9ef718cfd48c26eaf11662f522451d866e7681)
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
index 51fbc64..f9a8e4a 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
@@ -1116,13 +1116,6 @@ int dblayer_is_cachesize_sane(size_t *cachesize)
if (!issane) {
*cachesize = (size_t)((pages - procpages) * pagesize);
}
- /* We now compensate for DB's own compensation for metadata size
- * They increase the actual cache size by 25%, but only for sizes
- * less than 500Meg.
- */
- if (*cachesize < 500*MEGABYTE) {
- *cachesize = (size_t)((double)*cachesize * (double)0.8);
- }
return issane;
}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
index 9b93f9a..f75ca97 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
@@ -121,11 +121,12 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in
ldbm_instance *inst = (ldbm_instance *) arg;
int retval = LDAP_SUCCESS;
size_t val = (size_t) value;
+ size_t chkval = val;
/* Do whatever we can to make sure the data is ok. */
if (apply) {
- if (!dblayer_is_cachesize_sane(&val)){
+ if (!dblayer_is_cachesize_sane(&chkval)){
PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
"Error: cachememsize value is too large.");
LDAPDebug( LDAP_DEBUG_ANY,"Error: cachememsize value is too large.\n",
@@ -152,11 +153,12 @@ ldbm_instance_config_dncachememsize_set(void *arg, void *value, char *errorbuf,
ldbm_instance *inst = (ldbm_instance *) arg;
int retval = LDAP_SUCCESS;
size_t val = (size_t)value;
+ size_t chkval = val;
/* Do whatever we can to make sure the data is ok. */
More information about the Pkg-fedora-ds-maintainers
mailing list