openldap-bugs February 2017

openldap-bugs@openldap.org

22 participants
59 discussions

Re: (ITS#8592) Double free in sssvlv.c
by kevinanties＠gmail.com 21 Feb '17

21 Feb '17

--f403045e36642e33f305491978d4 Content-Type: text/plain; charset=UTF-8 Sorry for that. ftp://ftp.openldap.org/incoming/kevin-170221-sssvlv.patch The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by YW. YW has not assigned rights and/or interest in this work to any party. I, Kevin, am authorized by YW, my employer, to release this work under the following terms. YW hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. On Wed, Feb 22, 2017 at 12:09 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Tuesday, February 21, 2017 4:20 AM +0000 kevinanties(a)gmail.com wrote: > > --f403045e3462d25e8f054902b3a3 >> Content-Type: text/plain; charset=UTF-8 >> >> I have submitted to ftp/incoming. The filename is >> kevin-170221-sssvlv.patch. >> > > Please carefully read the contribution web page. Your submission is > clearly missing the IPR notice: > > <http://www.openldap.org/devel/contributing.html#notice> > > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > --f403045e36642e33f305491978d4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Sorry for that.<br><br><pre><a rel=3D"nofollow" href=3D"ft= p://ftp.openldap.org/incoming/kevin-170221-sssvlv.patch">ftp://ftp.openldap= .org/incoming/kevin-170221-sssvlv.patch</a></pre><br><font face=3D"Arial,Ve= rdana,Helvetica">The attached file is derived from OpenLDAP Software. All o= f the modifications to OpenLDAP Software represented in the following patch= (es) were developed by YW. YW has not assigned rights and/or interest in th= is work to any party. I, Kevin, am authorized by YW, my employer, to releas= e this work under the following terms. <br></font><font face=3D"Arial,Verda= na,Helvetica"><br>YW hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. </font><br><br><br></div><div class=3D"gmail_extra"><br><div class=3D"gmail= _quote">On Wed, Feb 22, 2017 at 12:09 AM, Quanah Gibson-Mount <span dir=3D"= ltr"><<a href=3D"mailto:quanah@symas.com" target=3D"_blank">quanah@symas= .com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"ma= rgin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">--On Tuesday, = February 21, 2017 4:20 AM +0000 <a href=3D"mailto:kevinanties@gmail.com" ta= rget=3D"_blank">kevinanties(a)gmail.com</a> wrote:<br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> --f403045e3462d25e8f054902b3a3<br> Content-Type: text/plain; charset=3DUTF-8<span class=3D""><br> <br> I have submitted to ftp/incoming. The filename is<br> kevin-170221-sssvlv.patch.<br> </span></blockquote> <br> Please carefully read the contribution web page.=C2=A0 Your submission is c= learly missing the IPR notice:<br> <br> <<a href=3D"http://www.openldap.org/devel/contributing.html#notice" rel= =3D"noreferrer" target=3D"_blank">http://www.openldap.org/devel<wbr>/contri= buting.html#notice</a>><div class=3D"HOEnZb"><div class=3D"h5"><br> <br> Regards,<br> Quanah<br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h= ttp://www.symas.com</a>><br> <br> </div></div></blockquote></div><br></div> --f403045e36642e33f305491978d4--

1 0

Re: (ITS#8592) Double free in sssvlv.c
by quanah＠symas.com 21 Feb '17

21 Feb '17

--On Tuesday, February 21, 2017 4:20 AM +0000 kevinanties(a)gmail.com wrote: > --f403045e3462d25e8f054902b3a3 > Content-Type: text/plain; charset=UTF-8 > > I have submitted to ftp/incoming. The filename is > kevin-170221-sssvlv.patch. Please carefully read the contribution web page. Your submission is clearly missing the IPR notice: <http://www.openldap.org/devel/contributing.html#notice> Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8592) Double free in sssvlv.c
by kevinanties＠gmail.com 20 Feb '17

20 Feb '17

--f403045e3462d25e8f054902b3a3 Content-Type: text/plain; charset=UTF-8 I have submitted to ftp/incoming. The filename is kevin-170221-sssvlv.patch. On Tue, Feb 21, 2017 at 12:25 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Monday, February 20, 2017 7:45 AM +0000 kevinanties(a)gmail.com wrote: > > > I have fixed this problem by adding one boolean flag to sort_op struct to >> indicate whether this is occupied or not . >> >> What is the best way to submit my patch? >> > > Hi Kevin, > > Submission requiresments are documented at <http://www.openldap.org/devel > /contributing.html> > > Regards, > > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > --f403045e3462d25e8f054902b3a3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">I have submitted to ftp/incoming. The filename is kevin-17= 0221-sssvlv.patch.=C2=A0 <br></div><div class=3D"gmail_extra"><br><div clas= s=3D"gmail_quote">On Tue, Feb 21, 2017 at 12:25 AM, Quanah Gibson-Mount <sp= an dir=3D"ltr"><<a href=3D"mailto:quanah@symas.com" target=3D"_blank">qu= anah(a)symas.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" s= tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><spa= n class=3D"">--On Monday, February 20, 2017 7:45 AM +0000 <a href=3D"mailto= :kevinanties@gmail.com" target=3D"_blank">kevinanties(a)gmail.com</a> wrote:<= br> <br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> I have fixed this problem by adding one boolean flag to sort_op struct to<b= r> indicate whether this is occupied or not .<br> <br> What is the best way to submit my patch?<br> </blockquote> <br></span> Hi Kevin,<br> <br> Submission requiresments are documented at <<a href=3D"http://www.openld= ap.org/devel/contributing.html" rel=3D"noreferrer" target=3D"_blank">http:/= /www.openldap.org/devel<wbr>/contributing.html</a>><br> <br> Regards,<div class=3D"HOEnZb"><div class=3D"h5"><br> Quanah<br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h= ttp://www.symas.com</a>><br> <br> </div></div></blockquote></div><br></div> --f403045e3462d25e8f054902b3a3--

1 0

Re: (ITS#8592) Double free in sssvlv.c
by quanah＠symas.com 20 Feb '17

20 Feb '17

--On Monday, February 20, 2017 7:45 AM +0000 kevinanties(a)gmail.com wrote: > I have fixed this problem by adding one boolean flag to sort_op struct to > indicate whether this is occupied or not . > > What is the best way to submit my patch? Hi Kevin, Submission requiresments are documented at <http://www.openldap.org/devel/contributing.html> Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8603) [PATCH] adds ldif_open_mem()
by brett＠gladserv.com 20 Feb '17

20 Feb '17

Full_Name: Brett Sheffield Version: master OS: Gentoo GNU/Linux URL: http://www.brettsheffield.com/patches/openldap/brett-sheffield-170220-ldif_… Submission from: (NULL) (2001:470:6e0d:0:96de:80ff:fe2d:3aa9) Patch[0] to add ldif_open_mem() function to ldif API. ldif_open_mem() is the fmemopen(3) equivalent of ldif_open() which opens an ldif steam from memory, rather than from a file. I originally added a similar function to my project libgladdb in 2014[1], but it really belongs in openldap itself as it is generally useful. The attached modifications to OpenLDAP Software are subject to the following notice: Copyright 2014, 2017 Brett Sheffield Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. [0] http://www.brettsheffield.com/patches/openldap/brett-sheffield-170220-ldif_… [1] https://github.com/brettsheffield/gladdb/blob/master/src/ldif.c

1 0

Re: (ITS#8592) Double free in sssvlv.c
by kevinanties＠gmail.com 19 Feb '17

19 Feb '17

--f403045d9e2209c2250548f17338 Content-Type: text/plain; charset=UTF-8 I have found the cause of the problem. This bug is hard to reproduce unless we make some change to the source codes. (e.g put sleep(1) to send_result function of sssvlv.c) illustrate steps: 1. A client sends two requests with "server side sort" control flag to search some entries. 2. The server dispatches two threads (A and B) to handle. 3. Thread A allocate the "so" struct and puts the "so" pointer to the static array, sort_conns. 4. Thread A can not find any entry. free_sort_op is going to call at the end of send_result function. 5. At the same time, before free_sort_op is called, Thread B acquires the "so" pointer in sssvlv_op_search. It is because the ps_cookie is always zero for new initialized "so" . 6. free_sort_op is called at Thread A. 7. For thread B, due to op->o_conn->c_pagedresults_state.ps_cookie != ps->ps_cookie, ok become 0. 8. free_sort_op is called at Thread B. Double free error occurs. Server dead. This bug will cause all slpad server to dead if the sssvlv overlay is enabled. I have fixed this problem by adding one boolean flag to sort_op struct to indicate whether this is occupied or not . What is the best way to submit my patch? On Sat, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Thursday, February 16, 2017 5:06 AM +0000 kevinanties(a)gmail.com > wrote: > > Full_Name: Kevin >> Version: 2.40 >> OS: Debian 7 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (218.188.214.98) >> > > Please do not file new ITSes for existing issue. Please follow up to the > original ITS with your additional information. > > Thanks. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > --f403045d9e2209c2250548f17338 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div><br></div><div>I have found the cause of the problem.= This bug is hard to reproduce unless we make some change to the source cod= es. (e.g=C2=A0 put sleep(1) to send_result function of sssvlv.c)<br><br>ill= ustrate steps:<br></div><div><br></div><div>1. A client sends two requests = with "server side sort" control flag to search some entries. <br>= <br></div><div>2. The server dispatches two threads (A and B) to handle.<br= ><br></div><div>3. Thread A allocate the "so" struct and puts the= "so" pointer to the static array, sort_conns.<br></div><div><br>= </div><div>4. Thread A can not find any entry.=C2=A0 <span class=3D"gmail-p= l-en">free_sort_op is going to call at the end of send_result function.<br>= <br></span></div><div><span class=3D"gmail-pl-en">5. At the same time, befo= re </span><span class=3D"gmail-pl-en">free_sort_op is called, Thread B acqu= ires the "so" pointer in sssvlv_op_search. It is because the ps_c= ookie is always zero for new initialized "so" .<br></span></div><= div><br></div><div>6. <span class=3D"gmail-pl-en">free_sort_op is called a= t </span>Thread A.<br><br></div><div>7. For thread B, due to op->o_conn-= >c_pagedresults_state.<span class=3D"gmail-pl-smi">ps_cookie !=3D ps-&gt= ;ps_cookie, ok become 0.<br><br>8. </span><span class=3D"gmail-pl-en">free_= sort_op is called at </span>Thread B. Double free error occurs. Server dead= .<br><br></div><div>This bug will cause all slpad server to dead if the sss= vlv overlay is enabled.<br><br></div><div>I have fixed this problem by addi= ng one boolean flag to sort_op struct to indicate whether this is occupied = or not . <br><br>What is the best way to submit my patch?<br></div><div><br= ></div><div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sa= t, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <span dir=3D"ltr"><<a hr= ef=3D"mailto:quanah@symas.com" target=3D"_blank">quanah(a)symas.com</a>></= span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0= px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">--On Thur= sday, February 16, 2017 5:06 AM +0000 <a href=3D"mailto:kevinanties@gmail.c= om" target=3D"_blank">kevinanties(a)gmail.com</a> wrote:<br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"> Full_Name: Kevin<br> Version: 2.40<br> OS: Debian 7<br> URL: <a href=3D"ftp://ftp.openldap.org/incoming/" rel=3D"noreferrer" target= =3D"_blank">ftp://ftp.openldap.org/incomin<wbr>g/</a><br> Submission from: (NULL) (218.188.214.98)<br> </blockquote> <br> Please do not file new ITSes for existing issue.=C2=A0 Please follow up to = the original ITS with your additional information.<br> <br> Thanks.<br> <br> --Quanah<br> <br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h= ttp://www.symas.com</a>><br> <br> </blockquote></div><br></div></div></div> --f403045d9e2209c2250548f17338--

1 0

Re: (ITS#8593) test039 deadlocks
by quanah＠symas.com 17 Feb '17

17 Feb '17

--On Friday, February 17, 2017 5:53 PM +0000 quanah(a)openldap.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.44 > OS: Solaris 10 > URL: ftp://ftp.openldap.org/incoming/test039-solaris-testrun.tgz > Submission from: (NULL) (47.208.148.26) Howard notes this is common behavior on Solaris because it has too few file descriptors with which to run the test suite. One needs to raise the FD limit prior to executing the tests. Default from ulimit -n shows 256 Should raise it to something reasonable like 1024 prior to execution --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8592) Double free in sssvlv.c
by quanah＠symas.com 17 Feb '17

17 Feb '17

--On Thursday, February 16, 2017 5:06 AM +0000 kevinanties(a)gmail.com wrote: > Full_Name: Kevin > Version: 2.40 > OS: Debian 7 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (218.188.214.98) Please do not file new ITSes for existing issue. Please follow up to the original ITS with your additional information. Thanks. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8593) test039 deadlocks
by quanah＠openldap.org 17 Feb '17

17 Feb '17

Full_Name: Quanah Gibson-Mount Version: 2.4.44 OS: Solaris 10 URL: ftp://ftp.openldap.org/incoming/test039-solaris-testrun.tgz Submission from: (NULL) (47.208.148.26) SunOS unknown 5.10 Generic_147148-26 i86pc i386 i86pc test039 sporadically locks up when running on Solaris 10. It took my system some 150 or so passes to trigger. On another system, it took only 16, so YMMV. What I see from the logs in the testrun is that slapd.3.log sends a response, and then halts: 58a723cf <<< dnPrettyNormal: <cn=All Staff,ou=Groups,o=Example,c=US>, <cn=all staff,ou=groups,o=example,c=us> 58a723cf => send_search_entry: conn 1003 dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example,c=US" slapd.2.log shows that the last thing it did was send a result, and then all the open connections to it from slapd-mtester timed out: 58a723cf send_ldap_result: conn=1008 op=15 p=3 58a723cf send_ldap_result: r=3D0 matched="" text="" 58a723cf send_ldap_response: msgid=16 tag=101 err=0 ber_flush2: 14 bytes to sd 24 58a723cf conn=1008 op=15 SEARCH RESULT tag=101 err=0 duration=0.298ms nentries=0 text= 58a723d5 connection_close: conn=1002 sd=15 58a723d5 conn=1002 fd=15 closed (idletimeout) 58a723d5 connection_close: conn=1003 sd=19 58a723d5 conn=1003 fd=19 closed (idletimeout) 58a723d5 connection_close: conn=1004 sd=20 (etc) slapd.1.log Also shows the last thing it did was return a result: 58a723cf bdb_search_candidates: id=1 first=9 last=9 58a723cf => send_search_entry: conn 1005 dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" ber_flush2: 704 bytes to sd 22 58a723cf <= send_search_entry: conn 1005 exit. 58a723cf send_ldap_result: conn=1005 op=20 p=3 58a723cf send_ldap_result: err=0 matched="" text="" 58a723cf send_ldap_response: msgid=21 tag=101 err=0 ber_flush2: 14 bytes to sd 22 58a723cf conn=1005 op=20 SEARCH RESULT tag=101 err=0 duration=0.300ms nentries=1 text= A tarfile with full backtraces on all slapd and tester programs has been uploaded to the FTP server

1 0

(ITS#8592) Double free in sssvlv.c
by kevinanties＠gmail.com 15 Feb '17

15 Feb '17

Full_Name: Kevin Version: 2.40 OS: Debian 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (218.188.214.98) This bug was reported but still havent been fixed in recent version. See (ITS#8368). Link: http://www.openldap.org/lists/openldap-bugs/201602/msg00005.html When one of my outlook client sends an email with more than 300 recipients, the slapd server crashes. The problem is caused by double free_sort_op function called in sssvlv.c. In my scenarios, the sssvlv_op_search function will call free_sort_op at line 955. However, the so pointer has already freed by the preivous free_sort_op call at send_result function at line 706. I guess there is a chance the so pointer can be occupied at sssvlv_op_search before the send_result get completed. Here is my gdb result: I set two break points. One is free_sort_op and the other one is send_result. It is clearly show that the free_sort_op was called twice . One is from send_result and the other is sssvlv_op_search. Breakpoint 2, send_result (op=op@entry=0x7fffdc0028e0, rs=rs@entry=0x7fffea8baae0, so=so@entry=0x7fffdc002670) at sssvlv.c:682 58a52415 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at sssvlv.c:396 396 in sssvlv.c Breakpoint 1, free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at sssvlv.c:396 396 in sssvlv.c Program received signal SIGABRT, Aborted. 0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) backtrace #0 0x00007ffff6628067 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff6629448 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007ffff66661b4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #3 0x00007ffff666b98e in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #4 0x00007ffff666c696 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #5 0000007ffff4381abb in free_sort_op (so=0x7fffdc002670, conn=<optimized out>) at sssvlv.c:406 #6 0x00007ffff43825ad in sssvlv_op_search (op=0x7fffd8000ae0, rs=0x7fffe3ffeae0) at sssvlv.c:954 #7 0x00000000004a324a in overlay_op_walk () #8 0x00000000004a33b5 in ?? () #9 0x000000000043fa01 in fe_op_search () #10 0x000000000043f39c in do_search () #11 0x000000000043d1c5 in ?? () #12 0x000000000043d4ae in ?? () #13 0x0000000000527c18 in ?? () #14 0x00007ffff69a6064 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #15 0x00007ffff66db62d in clone () from /lib/x86_64-linux-gnu/libc.so.6

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2017