openldap-bugs

openldap-bugs@openldap.org

1 participants
21000 discussions

(ITS#6756) ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8
by jgilmour＠techsmog.com 30 Dec '10

30 Dec '10

Full_Name: Josh Gilmour Version: ldapsearch 2.3.43 (Nov 29 2010 03:47:14) OS: CentOS release 5.4 32bit URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (38.112.23.58) I get a segfault when using the following command and applying a filter file. If we remove the -f, the command runs properly. It doesn't seem to be a major security issue (or one at all, I'm not sure), but it does seem to be a bug I believe... the file i'm using for the -f parameter, 'testing', just has the letter 'a' in it. Here is the process output from gdb: [jgilmour@xijgilmour ~]$ gdb ldapsearch GNU gdb Fedora (6.8-37.el5) Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (no debugging symbols found) (gdb) r -x -LLL -h xxx.local -D "xxx(a)xxx.local" -E pr=1/noprompt -w password -b "OU=xxx,dc=xxx,dc=local" -S sAMAccountName -f testing Starting program: /usr/bin/ldapsearch -x -LLL -h xxx.local -D "xxx(a)xxx.local" -E pr=1/noprompt -w password -b "OU=xxx,dc=xxx,dc=local" -S sAMAccountName -f testing (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) dn: OU=xxx,DC=xxx,DC=LOCAL objectClass: top objectClass: organizationalUnit ou: xxx distinguishedName: OU=xxx,DC=xxx,DC=LOCAL instanceType: 4 whenCreated: 20050103174000.0Z whenChanged: 20081117191042.0Z uSNCreated: 12371 uSNChanged: 6388825 name: xxx objectGUID:: qjRiugCNd0eXyrXkHlETpA== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=xxx,D C=LOCAL dSCorePropagationData: 20080818221029.0Z dSCorePropagationData: 20080628202026.0Z dSCorePropagationData: 20070611215308.0Z dSCorePropagationData: 20070611213209.0Z dSCorePropagationData: 16010714223649.0Z *** glibc detected *** /usr/bin/ldapsearch: double free or corruption (!prev): 0x086a35f8 *** Program received signal SIGSEGV, Segmentation fault. 0x00c67a3f in _int_malloc () from /lib/i686/nosegneg/libc.so.6 (gdb) i r eax 0x169 361 ecx 0xd43170 13906288 edx 0x86a35f0 141178352 ebx 0xd41ff4 13901812 esp 0xbf9a7078 0xbf9a7078 ebp 0xbf9a713c 0xbf9a713c esi 0x168 360 edi 0xb7fdb000 -1208111104 eip 0xc67a3f 0xc67a3f <_int_malloc+703> eflags 0x210283 [ CF SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) bt #0 0x00c67a3f in _int_malloc () from /lib/i686/nosegneg/libc.so.6 #1 0x00c69a1e in malloc () from /lib/i686/nosegneg/libc.so.6 #2 0x00235998 in _dl_map_object () from /lib/ld-linux.so.2 #3 0x0023ead1 in dl_open_worker () from /lib/ld-linux.so.2 #4 0x0023ae66 in _dl_catch_error () from /lib/ld-linux.so.2 #5 0x0023e4b2 in _dl_open () from /lib/ld-linux.so.2 #6 0x00d08072 in do_dlopen () from /lib/i686/nosegneg/libc.so.6 #7 0x0023ae66 in _dl_catch_error () from /lib/ld-linux.so.2 #8 0x00d08225 in __libc_dlopen_mode () from /lib/i686/nosegneg/libc.so.6 #9 0x00ce44d9 in init () from /lib/i686/nosegneg/libc.so.6 #10 0x00ce4673 in backtrace () from /lib/i686/nosegneg/libc.so.6 #11 0x00c5ee51 in __libc_message () from /lib/i686/nosegneg/libc.so.6 #12 0x00c671d5 in _int_free () from /lib/i686/nosegneg/libc.so.6 #13 0x00c67619 in free () from /lib/i686/nosegneg/libc.so.6 #14 0x00c55756 in fclose@@GLIBC_2.1 () from /lib/i686/nosegneg/libc.so.6 #15 0x0804ca88 in ?? () #16 0x00c12e9c in __libc_start_main () from /lib/i686/nosegneg/libc.so.6 #17 0x0804a3f1 in ?? () (gdb) q The program is running. Exit anyway? (y or n) y [jgilmour@xijgilmour ~]$ uname -a Linux xijgilmour.xxx.local 2.6.18-164.11.1.el5xen #1 SMP Wed Jan 20 08:53:10 EST 2010 i686 i686 i386 GNU/Linux

1 0

(ITS#6755) ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8
by jgilmour＠techsmog.com 30 Dec '10

30 Dec '10

1 0

(ITS#6754) slapd ignores extra command-line arguments
by rein＠OpenLDAP.org 30 Dec '10

30 Dec '10

Full_Name: Rein Tollevik Version: CVS head OS: Irrelevant URL: Submission from: (NULL) (2a01:600:0:1:129a:ddff:fe4b:9c78) Submitted by: rein slapd silently ignores extra command-line arguments not recognized as options. A simple fix is coming. -- Rein Tollevik Basefarm AS

1 0

Re: (ITS#6741)
by hyc＠symas.com 30 Dec '10

30 Dec '10

jgcardoso(a)seguridata.com wrote: > This is a multi-part message in MIME format. > > ------_=_NextPart_001_01CBA84D.397A800E > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > I submitted a patch for tls2.c in order to handle DER BitString values. LBER_BITSTRING is already defined in lber.h so there's no need to define LBER_TAG_BITSTRING in your patch. I will clean up some of this and then commit it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6741)
by jgcardoso＠seguridata.com 30 Dec '10

30 Dec '10

This is a multi-part message in MIME format. ------_=_NextPart_001_01CBA84D.397A800E Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I submitted a patch for tls2.c in order to handle DER BitString values. =20 This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by SeguriData Privada, S.A. de CV. SeguriData Privada S.A de C. V. has not assigned rights and/or interest in this work to any party. I, Juan Gonzalez Cardoso am authorized by SeguriData Privada, S. A. de C. V., my employer, to release this work under the following terms: =20 The attached modifications to OpenLDAP Software are subject to the following notice: =20 Copyright SeguriData Privada, S. A. de C. V. Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. =20 Full_Name: Juan Gonzalez Cardoso Version: 2.4.23 OS: Red Hat 5.5 EL URL: ftp://ftp.openldap.org/incoming/juan-gonzalez-101230.patch =20 =20 =20 =20 ------_=_NextPart_001_01CBA84D.397A800E Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta = http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 12 = (filtered medium)"><style></style></head><body lang=3DES-MX link=3Dblue = vlink=3Dpurple><div class=3DWordSection1>I submitted a patch for tls2.c in order to handle DER = BitString values.<o:p></o:p><o:p> </o:p> This patch file is derived from OpenLDAP Software. All of = the modifications to OpenLDAP Software represented in the following = patch(es) were developed by SeguriData Privada, S.A. de = CV.<o:p></o:p>SeguriData Privada S.A de C. V. has not assigned rights = and/or interest in this work to any party.<o:p></o:p>I, Juan Gonzalez Cardoso am = authorized by SeguriData Privada, S. A. de C. V., my employer, to = release this work under the following terms:<o:p></o:p><o:p> </o:p>The attached modifications to = OpenLDAP Software are subject to the following = notice:<o:p></o:p><o:p> </o:p>Copyright = SeguriData Privada, S. A. de C. V.<o:p></o:p>Redistribution and use in source = and binary forms, with or without modification, are permitted only as = authorized by the OpenLDAP Public License.<o:p></o:p><o:p> </o:p>Full_Name: Juan Gonzalez = Cardoso<o:p></o:p>Version: 2.4.23<o:p></o:p>OS: Red Hat 5.5 = EL<o:p></o:p>URL: <a = href=3D"ftp://ftp.openldap.org/incoming/juan-gonzalez-101230.patch">ftp:/= /ftp.openldap.org/incoming/juan-gonzalez-101230.patch</a><o:p></o:p></spa= n><o:p> </o:p><o:p> </o:p><o:p> </o:p><o:p> </o:p></div></body></html> ------_=_NextPart_001_01CBA84D.397A800E--

1 0

Re: (ITS#6684)
by hyc＠symas.com 30 Dec '10

30 Dec '10

norbert(a)pueschel.net wrote: > Updated TAR-file with (hopefully) sufficient copyright notice... > > http://www.pueschel.net/openldap/norbert-pueschel-autogroup-27102010.tar Your code does a string compare againset "memberOf" to detect those filter references. 1) it should simply be comparing the AttributeDescription pointers 2) since the "memberof" attribute is actually configurable in the memberof overlay, there's no guarantee that this is the correct attribute to be looking for. It should also be configurable in your patch. You're using strcasecmp, but your inputs are already normalized values. You should just use ber_bvcmp. Replying to the original: > 1) Using non-DN-valued URIs for autogroup does not work correctly, even > with the latest version from HEAD. Especially changing group member is > not tracked. I don't see why this should ever work or be supported. LDAP groups list DNs. > 2) Using the memberOf-overlay for constructing autogroups does not work I don't see any reason why this should work. The memberof overlay is not used to construct groups, it is only used to report on group memberships that have already been defined. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6664) Server control forwarding in back_meta and back_ldap
by hyc＠symas.com 30 Dec '10

30 Dec '10

masarati(a)aero.polimi.it wrote: >> Note that the SSSVLV overlay can handle paged results locally too, thus >> negating any need for back-ldap/back-meta to forward it to a remote >> server. >> Obviously for greatest generality, there needs to be a way to configure >> which >> set of controls to pass through, and which to process locally. (Much like >> back-ldap's option to process the WhoAmI exop...) > > Right. With proxies the problem is twofold: > > a) clients request pr because they think they're talking to AD > > b) the proxy may need to use pr even if the client does not request it, > because it knows it's talking to AD > > In (a), the issue could be handled the way sssvlv does, relieving the > proxy from having to deal with server-side pr; this would be extremely > beneficial, for example, for back-meta > > In (b), the proxy could be configured to use pr the way I mentioned above; > in principle, the proxy could be so clever to avoid using pr, and simply > accept to handle unrequested pr responses, but only if instructed to do > so. > > Filtering what controls are passed thru should be easy, since both proxy > backends always call ldap_back_controls_add()/meta_back_controls_add() to > muck with request controls (usually to add proxied authorization and so); > this function could easily strip or add pr if instructed to do so. Should also revisit ITS#4591 while thinking about this. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

ITS#5966
by hyc＠symas.com 30 Dec '10

30 Dec '10

cn=Monitor does not appear to have this problem any more, at least not for test056 or test039 on my dual-core machine. Can we close this out? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5862) Assert control ignored on non-database entries
by hyc＠symas.com 30 Dec '10

30 Dec '10

h.b.furuseth(a)usit.uio.no wrote: > Full_Name: Hallvard B Furuseth > Version: HEAD > OS: Linux > URL: > Submission from: (NULL) (129.240.6.233) > Submitted by: hallvard > > > slapd does not apply the Assert control to non-database entries > (at least the root and subschema entries), yet does not reject > a critical control either. > > I have not explored the magnitutde of the problem: Where the > control can get ignored, and which other controls are ignored. > > $ ldapsearch -LLLx -e\!assert='(objectClass=person)' -b "" -s base > dn: > objectClass: top > objectClass: OpenLDAProotDSE > > $ ldapsearch -LLLx -e\!assert='(objectClass=person)' -b cn=subschema -s base > dn: cn=Subschema > objectClass: top > objectClass: subentry > objectClass: subschema > objectClass: extensibleObject > cn: Subschema > > > -b "" -s sub does apply the control with database bdb + suffix "". > Don't know about back-sql. > However I imagine it varies how careful backends "" are about generating > the root DSE when suffix == "" so controls can be applied to it. Might > need a backend flag which says whether the backend does this, and reject > the critical controls with unwillingToPerform if this flag is not set. With ITS#6753 I've centralized Compare processing into the frontend, so the Assert control is now processed for non-database entries with this op. Someone should take a look and see what other operations we need to worry about. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6741)
by hyc＠symas.com 29 Dec '10

29 Dec '10

The ITS doesn't really handle MIME messages very well. Please just follow the guidelines on the OpenLDAP web site. http://www.openldap.org/devel/contributing.html jgcardoso(a)seguridata.com wrote: > This is a multi-part message in MIME format. > > ------_=_NextPart_001_01CBA7B8.A7EC1D62 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > I created a function to support conversion from DER BitString encoded > data to RFC4517 Bit String Format. > > I tested it alone and it seems to work fine with normal and abnormal > situations. > > =20 > > I also wrote a proposal to the call that must be included at > ldap_X509dn2bv() function. > > =20 > > First comes the conversion function and after comes the proposal. > > =20 > > =20 > > /*****************************************************/ > > =20 > > #define BITS_PER_BYTE 8 > > #define SQUOTE_LENGTH 1 > > #define B_CHAR_LENGTH 1 > > #define STR_OVERHEAD (2*SQUOTE_LENGTH + B_CHAR_LENGTH) > > =20 > > int ldap_der_to_rfc4517_BitString (struct berval *berValue, > > struct berval *rfc4517Value) { > > > ber_len_t bitPadding=3D0; > > ber_len_t bits, maxBits; > > char *tmpStr; > > unsigned char byte; > > ber_len_t bitLength; > > ber_len_t valLen; > > unsigned char* valPtr; > > =20 > > rfc4517Value->bv_len=3D0; > > rfc4517Value->bv_val=3DNULL; > > =20 > > /* Gets padding and points to binary data */ > > valLen=3DberValue->bv_len; > > valPtr=3D(unsigned char*)berValue->bv_val; > > if (valLen) { > > bitPadding=3D(ber_len_t)(valPtr[0]); > > valLen--; > > valPtr++; > > } > > /* If Block is non DER encoding fixes to DER encoding */ > > if (bitPadding>=3D BITS_PER_BYTE) { > > if (valLen*BITS_PER_BYTE> bitPadding ) { > > valLen-=3D(bitPadding/BITS_PER_BYTE); > > bitPadding%=3DBITS_PER_BYTE; > > } else { > > valLen=3D0; > > bitPadding=3D0; > > } > > } > > /* Just in case bad encoding */ > > if (valLen*BITS_PER_BYTE< bitPadding ) { > > bitPadding=3D0; > > valLen=3D0; > > } > > =20 > > /* Gets buffer to hold RFC4517 Bit String format */ > > bitLength=3DvalLen*BITS_PER_BYTE-bitPadding; > > tmpStr=3DLDAP_MALLOC(bitLength + STR_OVERHEAD + 1); > > =20 > > if (!tmpStr) > > return LDAP_NO_MEMORY; > > =20 > > rfc4517Value->bv_val=3DtmpStr; > > rfc4517Value->bv_len=3DbitLength + STR_OVERHEAD; > > =20 > > /* Formatting in '*binary-digit'B format */ > > maxBits=3DBITS_PER_BYTE; > > *tmpStr=3D'\''; > > tmpStr++; > > while(valLen) { > > byte=3D*valPtr; > > if (valLen=3D=3D1) > > maxBits-=3DbitPadding; > > for (bits=3D0; bits<maxBits; bits++) { > > if (0x80& byte) > > *tmpStr=3D'1'; > > else > > *tmpStr=3D'0'; > > tmpStr++; > > byte<<=3D1; > > } > > valPtr++; > > valLen--; > > } > > *tmpStr=3D'\''; > > tmpStr++; > > *tmpStr=3D'B'; > > tmpStr++; > > *tmpStr=3D0; > > =20 > > return LDAP_SUCCESS; > > } > > =20 > > =20 > > /*****************************************************/ > > /*****************************************************/ > > =20 > > =20 > > /* > > * Other tags found in AVAs (X.520) > > */ > > #define LBER_TAG_BITSTRING ((ber_tag_t) 0x03UL) > > =20 > > =20 > > ldap_X509dn2bv function updated: > > =20 > > switch(tag) { > > case LBER_TAG_UNIVERSAL: > > /* This uses 32-bit ISO 10646-1 */ > > csize =3D 4; goto to_utf8; > > case LBER_TAG_BMP: > > /* This uses 16-bit ISO 10646-1 */ > > csize =3D 2; goto to_utf8; > > case LBER_TAG_BITSTRING: > > /* X.690 bitString value converted to RFC4517 Bit > String */ > > rc =3D ldap_der_to_rfc4517_BitString(&Val, > &newAVA->la_value ); > > goto after_utf8; > > case LBER_TAG_TELETEX: > > /* This uses 8-bit, assume ISO 8859-1 */ > > csize =3D 1; > > to_utf8: rc =3D ldap_ucs_to_utf8s(&Val, csize, > &newAVA->la_value ); > > after_utf8: newAVA->la_flags |=3D LDAP_AVA_FREE_VALUE; > > if (rc !=3D LDAP_SUCCESS) goto nomem; > > newAVA->la_flags =3D LDAP_AVA_NONPRINTABLE; > > break; > > case LBER_TAG_UTF8: > > newAVA->la_flags =3D LDAP_AVA_NONPRINTABLE; > > /* This is already in UTF-8 encoding */ > > case LBER_TAG_IA5: > > case LBER_TAG_PRINTABLE: > > /* These are always 7-bit strings */ > > newAVA->la_value =3D Val; > > default: > > ; > > } > > =20 > > > ------_=_NextPart_001_01CBA7B8.A7EC1D62 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = > xmlns:o=3D"urn:schemas-microsoft-com:office:office" = > xmlns:w=3D"urn:schemas-microsoft-com:office:word" = > xmlns:x=3D"urn:schemas-microsoft-com:office:excel" = -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs