The cupsd daemon got crashed when it is configured to populate and fetch printer information from LDAP server on Red Hat Enterprise Linux 6.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • cups-1.4.2-48.el6_3.1.x86_64
  • openldap-2.4.23-26.el6_3.2.x86_64
  • Configure cups to populate printer information in LDAP server.

Issue

  • The cupsd daemon got crashed when it is configured to populate and fetch printer information from LDAP server on Red Hat Enterprise Linux 6.

  • If three printers are already added on cups. Then configure cups to populate LDAP the crash do not occur.

  • Then use 'lpadmin' is used add one more print queue cups got crashed.

    # service cups status
    cupsd dead but pid file exists
    
    # gdb -c coredump cupsd
    
    (gdb) bt
    #0  0x00007fef6d3d5a45 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
    #1  0x00007fef6d3d7225 in abort () at abort.c:92
    #2  0x00007fef6d3ce9d5 in __assert_fail (assertion=0x7fef6cd18908 "((ber)->ber_opts.lbo_valid==0x2)", file=<value optimized out>, 
        line=186, function=<value optimized out>) at assert.c:81
    #3  0x00007fef6cd14ed2 in ber_free_buf (ber=0x7fef71abb050) at ../../../libraries/liblber/io.c:186
    #4  0x00007fef6cd14f05 in ber_free (ber=0x7fef71abb050, freebuf=<value optimized out>) at ../../../libraries/liblber/io.c:203
    #5  0x00007fef6fc6cf06 in ldap_msgfree (lm=0x7fef71ab94d0) at ../../../libraries/libldap/result.c:1318
    #6  0x00007fef707a6869 in ldap_freeres (entry=<value optimized out>) at dirsvc.c:4041
    #7  0x00007fef707ab877 in send_ldap_browse (p=0x7fef71ac5cf0) at dirsvc.c:4561
    #8  0x00007fef707abfca in cupsdSendBrowseList () at dirsvc.c:946
    #9  0x00007fef707ad536 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:1019
    
  • The issue not reproducible on Red Hat Enterprise Linux 5 with cups-1.3.x.

Resolution

Update cups package with this [errata].(http://rhn.redhat.com/errata/RHBA-2012-1470.html)

Root Cause

This issue has been tracked under Bug #873592

Diagnostic Steps

  1. The crash is coming from liblber-2.4.so.2 library. This is openldap core library and comes from openldap-2.4.23-26.el6_3.2 package.

From /var/log/messages :

    Oct 23 03:34:04 sacvl104 kernel: cupsd[3001]: segfault at 600000000 ip 00007faf2fc1ee81 sp 00007fffe4adbba0 error 4 in liblber-2.4.so.2.5.6[7faf2fc18000+e000]
    Oct 23 03:34:04 sacvl104 abrt[3005]: saved core dump of pid 3001 (/usr/sbin/cupsd) to /var/spool/abrt/ccpp-1350988444-3001.new/coredump (1294336 bytes)

The library that throws crash is provided by openldap package.

# rpm -qf /lib64/liblber-2.4.so.2
openldap-2.4.23-26.el6_3.2.x86_64

2. This is also linked with cupsd internally.

    # ldd /usr/sbin/cupsd | grep liblber
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fe1793cf000)

This is also linked with cupsd internally.

3. From core file.

    # gdb -c coredump cupsd

    (gdb) bt
    #0  0x00007fef6d3d5a45 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
    #1  0x00007fef6d3d7225 in abort () at abort.c:92
    #2  0x00007fef6d3ce9d5 in __assert_fail (assertion=0x7fef6cd18908 "((ber)->ber_opts.lbo_valid==0x2)", file=<value optimized out>, 
        line=186, function=<value optimized out>) at assert.c:81
    #3  0x00007fef6cd14ed2 in ber_free_buf (ber=0x7fef71abb050) at ../../../libraries/liblber/io.c:186
    #4  0x00007fef6cd14f05 in ber_free (ber=0x7fef71abb050, freebuf=<value optimized out>) at ../../../libraries/liblber/io.c:203
    #5  0x00007fef6fc6cf06 in ldap_msgfree (lm=0x7fef71ab94d0) at ../../../libraries/libldap/result.c:1318
    #6  0x00007fef707a6869 in ldap_freeres (entry=<value optimized out>) at dirsvc.c:4041
    #7  0x00007fef707ab877 in send_ldap_browse (p=0x7fef71ac5cf0) at dirsvc.c:4561
    #8  0x00007fef707abfca in cupsdSendBrowseList () at dirsvc.c:946
    #9  0x00007fef707ad536 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:1019

4. At frame 3 from gdb :

    (gdb) f 3
    #3  0x00007fef6cd14ed2 in ber_free_buf (ber=0x7fef71abb050) at ../../../libraries/liblber/io.c:186
    186     assert( LBER_VALID( ber ) );
    (gdb) list
    181 }
    182 
    183 void
    184 ber_free_buf( BerElement *ber )
    185 {
    186     assert( LBER_VALID( ber ) );
    187 
    188     if ( ber->ber_buf) ber_memfree_x( ber->ber_buf, ber->ber_memctx );
    189 
    190     ber->ber_buf = NULL;
    (gdb) p *ber
    $11 = {ber_opts = {lbo_valid = -18528, lbo_options = 29097, lbo_debug = 32751}, ber_tag = 105, ber_len = 12, ber_usertag = 0, 
      ber_buf = 0x0, ber_ptr = 0x7fef71aa11d3 "", ber_end = 0x7fef71aa11dc "", ber_sos_ptr = 0x0, ber_rwptr = 0x0, ber_memctx = 0x0}
    (gdb) quit

From backtrace it seems Sig 6 abort is coming from 'ber' variable in liblber/io.c file and line 186.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments