May 2008 - openldap-bugs

Re: (ITS#5522) Quarantine causes segmentation fault

by quanah＠zimbra.com

--On Thursday, May 22, 2008 3:11 PM +0000 andrew.graham(a)agustawestland.com wrote: > Full_Name: Drew Graham > Version: 2.4.9 > OS: SUSE 10 > URL: > Submission from: (NULL) (194.169.32.250) > ******************* > > Slapd then exits with Segmentation Fault. Gdb shows... This bug has been patched by Pierangelo in HEAD, and it will be in the 2.3.42 and 2.4.10 releases. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

15 years

1
0
0 / 0

Re: (ITS#5518) Assertion error in io.c:234: ber_flush2

by paul＠mad-scientist.us

Hi all; I just posted a new bug 5525 that describes exactly how this happens and where the bug is. I came to this conclusion while trying to find a crasher in Evolution Exchange: I ran it under valgrind to find the use of freed memory. Hopefully this will provide us with a quick fix!

15 years

1
0
0 / 0

(ITS#5525) libldap causes a core dump due to accessing freed memory

by paul＠mad-scientist.us

Full_Name: Paul Smith Version: 2.4.7 OS: Ubuntu 8.04 URL: Submission from: (NULL) (65.78.30.67) I've been trying to track down a crasher in Evolution's Exchange server backend, and I believe it's a bug in OpenLDAP's libldap. The core manifests as an assert() in io.c:ber_flush2(), but by using valgrind I can see that the real problem is using already-freed memory. You can see various backtraces and valgrind outputs in the Gnome bug tracking system here: http://bugzilla.gnome.org/show_bug.cgi?id=512605 Note that the later stack traces are better as I've installed debugging versions of OpenLDAP so there are better symbols shown. In Evolution we have a loop we use to look up global contacts, which looks like this: for (try = 0; try < 2; try++) { ldap_error = get_gc_connection (gc, op); if (ldap_error != LDAP_SUCCESS) return ldap_error; ldap_error = ldap_search_ext (gc->priv->ldap, base, scope, filter, (char **)attrs, FALSE, NULL, NULL, NULL, 0, &msgid); if (ldap_error == LDAP_SERVER_DOWN) continue; else if (ldap_error != LDAP_SUCCESS) return ldap_error; ldap_error = gc_ldap_result (gc->priv->ldap, op, msgid, msg); if (ldap_error == LDAP_SERVER_DOWN) continue; else if (ldap_error != LDAP_SUCCESS) return ldap_error; return LDAP_SUCCESS; } where get_gc_connection() eventually calls ldap_ntlm_bind() and where gc_ldap_result() calls ldap_result(). When the core happens, the first trip through the for loop here gives an error LDAP_SERVER_DOWN as the return code from ldap_result(). We go back to the top of the loop, and ldap_ntlm_bind() is called. That eventually ends up in ldap_send_initial_request() which invokes ldap_send_server_request() like this: rc = ldap_send_server_request( ld, ber, msgid, NULL, NULL, NULL, NULL ); Inside ldap_send_server_request() we need to find an LDAPConn* structure, but the one passed in is NULL as is the srvlist, so, we use the default connection: if ( lc == NULL ) { if ( srvlist == NULL ) { lc = ld->ld_defconn; Valgrind reports that the very next line, attempting to access lc->lconn_status, is referencing freed memory: if ( lc != NULL && lc->lconn_status == LDAP_CONNST_CONNECTING ) { So, basically, we know that ld->ld_defconn is a non-NULL pointer pointing to already freed memory. This seems like it is a buggy state. How did we get here? In ldap_result() we get into this loop invoking try_read1msg() (I'm removing the mutex locking for readability, even though it IS enabled in my version of libldap): for ( lc = ld->ld_conns; rc == LDAP_MSG_X_KEEP_LOOKING && lc != NULL; ) { if ( lc->lconn_status == LDAP_CONNST_CONNECTED && ldap_is_read_ready( ld, lc->lconn_sb ) ) { rc = try_read1msg( ld, msgid, all, &lc, result ); if ( lc == NULL ) { /* if lc gets free()'d, * there's no guarantee * lc->lconn_next is still * sane; better restart * (ITS#4405) */ lc = ld->ld_conns; /* don't get to next conn! */ break; } } /* next conn */ lc = lc->lconn_next; } Inside try_read1msg() we call "tag = ber_get_next( lc->lconn_sb, &len, ber );" and if the tag we get back is LBER_DEFAULT, then we declare an error and we free the connection and set the pointer to NULL: case LBER_DEFAULT: ld->ld_errno = LDAP_SERVER_DOWN; ldap_free_connection( ld, lc, 1, 0 ); lc = *lcp = NULL; return -1; If you check ldap_free_connection() you'll see that it removes the LDAPConn pointer "lc" from the list of connections before it is freed. BUT! The ldap_free_connection() function never does anything with the ld->ld_defconn pointer, so if the connection we just freed is the one pointed to by ld->ld_defconn, it is now pointing to freed memory. And that causes the problem detected above by valgrind, or causing an assert later on: accessing freed memory. I'm not really sure what the right thing to do here is, or I'd provide a patch. Should we set ld_defconn to NULL? Is that ever a valid state? Or should we just pick another connection from the list (and what if there isn't one?)

15 years

1
0
0 / 0

Re: (ITS#5523) BDB 4.7 support

by hyc＠symas.com

hyc(a)symas.com wrote: > Hooray, they've finally got a partitioned lock manager. The lock subsystem has > always been a huge bottleneck in previous releases... (Relatively speaking. Back in OpenLDAP 2.0 we had plenty of other problems, but today most of those are gone, and BerkeleyDB's lock manager is quite conspicuous in current profile results...) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

15 years

1
0
0 / 0

Re: (ITS#5523) BDB 4.7 support

by hyc＠symas.com

quanah(a)zimbra.com wrote: > --On Thursday, May 22, 2008 7:28 PM +0000 quanah(a)OpenLDAP.org wrote: > > Change log at: > > <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/changel...> Hooray, they've finally got a partitioned lock manager. The lock subsystem has always been a huge bottleneck in previous releases... The last time I looked at 4.7, the main problem was that they stopped exporting the __lock_getlocker() function. As a quick hack to allow testing the rest of OpenLDAP, I just patched it back in to my copy. The clean approach would be to once again resurrect the long-lived read-transaction code that we dropped a long time back. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

15 years

1
0
0 / 0

Re: (ITS#5523) BDB 4.7 support

by quanah＠zimbra.com

--On Thursday, May 22, 2008 7:28 PM +0000 quanah(a)OpenLDAP.org wrote: Change log at: <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/changel...> --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

15 years

1
0
0 / 0

(ITS#5524) Additions to the Security section of the Admin Guide

by andrew.findlay＠skills-1st.co.uk

Full_Name: Andrew Findlay Version: 2.4.9 OS: Linux URL: http://www.skills-1st.co.uk/pub/code/openldap-guide-patch-20080522 Submission from: (NULL) (88.97.25.132) This patch adds text to the Security chapter in the Admin Guide. It describes the password storage schemes, including the {SASL} scheme that triggers pass-through authentication. The latter facility has existed since version 2.0 but has never been mentioned in the docs, so I have included a section with an example of its use.

15 years

1
0
0 / 0

(ITS#5523) BDB 4.7 support

by quanah＠OpenLDAP.org

Full_Name: Quanah Gibson-Mount Version: HEAD/RE24 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (24.23.156.219) BDB 4.7 is officially released. We should add support for it.

15 years

1
0
0 / 0

(ITS#5522) Quarantine causes segmentation fault

by andrew.graham＠agustawestland.com

Full_Name: Drew Graham Version: 2.4.9 OS: SUSE 10 URL: Submission from: (NULL) (194.169.32.250) I've set up a meta directory with openldap, which has worked flawlessly until now. If I set the 'quarantine' directive slapd fails to start, giving a segmentation fault. This occurs every time I use quarantine, on two different distros, on any version of openldap that I've tested (2.3.39, 2.3.41, 2.4.9), with both my usual config file and a very simple config file. As an example, I built openldap 2.4.9 on suse 10 with the following configure line... # ./configure --prefix=/usr/local/ldap3 --enable-meta --enable-ldap Slapd.conf looks like... ******************* include /usr/local/ldap/etc/openldap/schema/core.schema include /usr/local/ldap/etc/openldap/schema/cosine.schema include /usr/local/ldap/etc/openldap/schema/inetorgperson.schema pidfile /usr/local/ldap/var/run/slapd.pid argsfile /usr/local/ldap/var/run/slapd.args database meta suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw "secret" quarantine 1800,3 uri "ldap://ldap.example.com/dc=example,dc=com" ******************* Obviously my normal config looks nothing like this, but running this config gets the same result. the last few lines that slapd will output with full debug gives... ****************** line 9 (pidfile /usr/local/ldap/var/run/slapd.pid) line 9 (pidfile /usr/local/ldap/var/run/slapd.pid) line 9 (pidfile /usr/local/ldap/var/run/slapd.pid) line 10 (argsfile /usr/local/ldap/var/run/slapd.args) line 13 (database meta) line 14 (suffix "dc=example,dc=com") >>> dnPrettyNormal: <dc=example,dc=com> => ldap_bv2dn(dc=example,dc=com,0) <= ldap_bv2dn(dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=example,dc=com)=0 <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> line 16 (rootdn "cn=manager,dc=example,dc=com") >>> dnPrettyNormal: <cn=manager,dc=example,dc=com> => ldap_bv2dn(cn=manager,dc=example,dc=com,0) <= ldap_bv2dn(cn=manager,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0 <<< dnPrettyNormal: <cn=manager,dc=example,dc=com>, <cn=manager,dc=example,dc=co m> line 17 (rootpw ***) line 19 (quarantine 1800,3) ******************* Slapd then exits with Segmentation Fault. Gdb shows... ****************** Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1211279696 (LWP 19080)] 0x081296d0 in ?? () ****************** Thanks is advance! Drew Graham

15 years

1
0
0 / 0

Segmentation fault with quarantine

by Andrew Graham

*** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email *** I've set up a meta directory with openldap, which has worked flawlessly until now. If I set the 'quarantine' directive slapd fails to start, giving a segmentation fault. This occurs every time I use quarantine, on two different distros, on any version of openldap that I've tested (2.3.39, 2.3.41, 2.4.9), with both my usual config file and a very simple config file. As an example, I built openldap 2.4.9 on suse 10 with the following configure line... # ./configure --prefix=/usr/local/ldap3 --enable-meta --enable-ldap Slapd.conf looks like... ******************* include /usr/local/ldap/etc/openldap/schema/core.schema include /usr/local/ldap/etc/openldap/schema/cosine.schema include /usr/local/ldap/etc/openldap/schema/inetorgperson.schema pidfile /usr/local/ldap/var/run/slapd.pid argsfile /usr/local/ldap/var/run/slapd.args database meta suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw "secret" quarantine 1800,3 uri "ldap://ldap.example.com/dc=example,dc=com" ******************* Obviously my normal config looks nothing like this, but running this config gets the same result. the last few lines that slapd will output with full debug gives... ****************** line 9 (pidfile /usr/local/ldap/var/run/slapd.pid) line 9 (pidfile /usr/local/ldap/var/run/slapd.pid) line 9 (pidfile /usr/local/ldap/var/run/slapd.pid) line 10 (argsfile /usr/local/ldap/var/run/slapd.args) line 13 (database meta) line 14 (suffix "dc=example,dc=com") >>> dnPrettyNormal: <dc=example,dc=com> => ldap_bv2dn(dc=example,dc=com,0) <= ldap_bv2dn(dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=example,dc=com)=0 <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> line 16 (rootdn "cn=manager,dc=example,dc=com") >>> dnPrettyNormal: <cn=manager,dc=example,dc=com> => ldap_bv2dn(cn=manager,dc=example,dc=com,0) <= ldap_bv2dn(cn=manager,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0 <<< dnPrettyNormal: <cn=manager,dc=example,dc=com>, <cn=manager,dc=example,dc=co m> line 17 (rootpw ***) line 19 (quarantine 1800,3) ******************* Before exiting with Segmentation Fault. Gdb shows... ****************** Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1211279696 (LWP 19080)] 0x081296d0 in ?? () ****************** Is this a bug or some mistake I'm making? Thanks is advance! Drew Graham *** Disclaimer *** The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s). For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If received in error please return to sender immediately. Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence. Westland Helicopters Ltd Lysander Road Yeovil BA20 2YB England Registered in England under No 604352

15 years

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2008