https://bugs.openldap.org/show_bug.cgi?id=10302
Issue ID: 10302
Summary: Double free of idcursor
Product: OpenLDAP
Version: 2.6.6
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: simon.rupf(a)lzlabs.com
Target Milestone: ---
Created attachment 1050
--> https://bugs.openldap.org/attachment.cgi?id=1050&action=edit
proposed patch, which was created from current master, but also applies to
2.6.6
While switching from Oracle Linux (a RHEL clone) 8 to 9 one of our larger LDAP
samples started causing a double free error at the end of the slapadd run.
While I can't share the LDIF in question and it didn't consistently cause the
issue, only every 5-6 times it ran, I could ran gdb and valgrind on it and
suggest the attached patch that resolves that error to re-occur. I validated
the patch still applies to the current master branch of openldap, as well as to
2.6.6 on EL9 where we encountered this.
The error originally observed was this (commands being run as ldap user):
[...]
rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -l /tmp/lz_vault_convert_add.ldif -q -w -n 2
PROXIED attributeDescription "LZVAULTPROFILECOUNT" inserted.
PROXIED attributeDescription "LZVAULTGLOBALPROFILECOUNT" inserted.
-#################### 100.00% eta none elapsed 03s spd 4.2 M/s
Closing DB...double free or corruption (!prev)
Under valgrind, the following trace could be observed:
valgrind --vgdb=full --leak-check=full --show-leak-kinds=all
--track-origins=yes slapadd -l /tmp/lz_vault_convert_add.ldif -q -w -n 2
==502== Memcheck, a memory error detector
==502== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==502== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==502== Command: slapadd -l /tmp/lz_vault_convert_add.ldif -q -w -n 2
==502==
PROXIED attributeDescription "LZVAULTPROFILECOUNT" inserted.
PROXIED attributeDescription "LZVAULTGLOBALPROFILECOUNT" inserted.
==502== Invalid read of size 8
==502== at 0x1E65A9: mdb_cursor_close (mdb.c:7764)
==502== by 0x1F71B8: UnknownInlinedFun (tools.c:202)
==502== by 0x1F71B8: mdb_tool_entry_close (tools.c:152)
==502== by 0x1D8291: slapadd (slapadd.c:511)
==502== by 0x1348C6: main (main.c:540)
==502== Address 0x188c8af8 is 8 bytes inside a block of size 392 free'd
==502== at 0x4847B4C: free (vg_replace_malloc.c:989)
==502== by 0x22CEFE: mdb_cursors_close.isra.0 (mdb.c:2638)
==502== by 0x1EBAAE: mdb_txn_commit (mdb.c:3640)
==502== by 0x1F75E2: mdb_tool_entry_modify (tools.c:1066)
==502== by 0x1D9AF9: slap_tool_update_ctxcsn.part.0 (slapcommon.c:1069)
==502== by 0x1D8440: UnknownInlinedFun (slapcommon.c:962)
==502== by 0x1D8440: slapadd (slapadd.c:502)
==502== by 0x1348C6: main (main.c:540)
==502== Block was alloc'd at
==502== at 0x484482F: malloc (vg_replace_malloc.c:446)
==502== by 0x1E8699: mdb_cursor_open (mdb.c:7690)
==502== by 0x1F8C45: mdb_tool_entry_put (tools.c:707)
==502== by 0x1D8150: slapadd (slapadd.c:453)
==502== by 0x1348C6: main (main.c:540)
[...]
Please advise if I can provide any further diagnostics, while I can still
relatively easily reproduce the issue.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=7249
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10290
Issue ID: 10290
Summary: Combination of syncrepl+rwm+syncprov frees the wrong
modlist
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
An MPR setup with rwm enabled (regardless of configuration it seems) will crash
with the provided modlist being freed twice. This is the sequence of events of
what is stored in op->orm_modlist, allocated and freed by whom, replacing the
actual pointers to make it easier to track:
syncrepl_message_to_op: preparing a modify with 0xoriginal
syncrepl_op_modify: old modlist 0xoriginal replacing with 0xsyncrepl_op_modify
rwm_op_modify: old modlist 0xsyncrepl_op_modify replacing with 0xrwm_op_modify
<modify happens>
syncrepl_modify_cb: freeing 0xsyncrepl_op_modify, replacing with 0xoriginal
(forgetting 0xrwm_op_modify)
rwm_op_rollback: freeing 0xoriginal replacing with 0xsyncrepl_op_modify
syncrepl_message_to_op: went in with 0xoriginal, got 0xsyncrepl_op_modify back
syncrepl_message_to_op: freeing 0xsyncrepl_op_modify
Not sure who is at fault: syncrepl_modify_cb is the one freeing the wrong
modlist, but then if backover were to work with an actual "stack", running
response callbacks in the opposite order from the request, things would have
been ok too.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10336
Issue ID: 10336
Summary: slapd crashes with segfault in mdb_delete.c on
non-existent tree part deletion
Product: OpenLDAP
Version: 2.6.9
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: A.Asemov(a)edpnet.com
Target Milestone: ---
slapd crashes with segfault in mdb_delete.c on non-existent tree part deletion.
Applies to 2.6.7, 2.6.8, 2.6.9
----------
Prerequisites:
----------
- mdb backend
- empty mdb database
----------
Sample reproducer:
----------
ldapdelete -x -H ldap://127.0.0.1 -w "password" -D
"cn=MyApplication,dc=Contacts,dc=MyTree" "dc=Contacts,dc=MyTree"
----------
Expected behavior:
----------
ldap_delete: No such object (32)
----------
Actual behavior:
----------
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00005566507b96e0 in mdb_delete (op=0x7f3f0c002910, rs=0x7f3f19bfd8a0) at
../../../../openldap-epel-2.6.8/openldap-2.6.8/servers/slapd/back-mdb/delete.c:151
----------
Sample slapd.conf:
----------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
#moduleload back_shell.la
moduleload sssvlv.la
moduleload valsort.la
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile /etc/<path removed>.crt
TLSCertificateKeyFile /etc/<path removed>.key
database mdb
suffix "dc=Contacts,dc=MyTree"
directory "/var/lib/ldap"
checkpoint 1024 1
dbnosync
maxsize 1048576000
index objectClass eq,pres
index ou,cn eq,pres,sub
index uidNumber,gidNumber eq,pres
index uid eq,pres,sub
rootdn "cn=MyApplication,dc=Contacts,dc=MyTree"
rootpw "{SSHA}<removed>"
access to *
by dn="cn=Phone,dc=Contacts,dc=MyTree" read
by peername.ip=127.0.0.1 write
by anonymous auth
by * none
overlay sssvlv
sssvlv-max 1000
sssvlv-maxperconn 1000
----------
Sample fix:
I am not versed in OpenLDAP code so I can't tell if it's semantically correct.
Seems like "e" gets NULL in this piece of code and the piece of code does not
verify if "e" is NULL. Adding check for ( e ) makes slapd correctly return
ldap_delete: No such object (32) instead of segfaulting.
----------
--- a/servers/slapd/back-mdb/delete.c 2024-05-21 19:19:11.000000000 +0200
+++ b/servers/slapd/back-mdb/delete.c 2025-05-12 14:43:04.652396852 +0200
@@ -148,17 +148,19 @@
"<=- " LDAP_XSTRING(mdb_delete) ": no such object
%s\n",
op->o_req_dn.bv_val );
- rs->sr_matched = ch_strdup( e->e_dn );
- if ( is_entry_referral( e )) {
- BerVarray ref = get_entry_referrals( op, e );
- rs->sr_ref = referral_rewrite( ref, &e->e_name,
- &op->o_req_dn, LDAP_SCOPE_DEFAULT );
- ber_bvarray_free( ref );
- } else {
- rs->sr_ref = NULL;
+ if ( e ) {
+ rs->sr_matched = ch_strdup( e->e_dn );
+ if ( is_entry_referral( e )) {
+ BerVarray ref = get_entry_referrals( op, e );
+ rs->sr_ref = referral_rewrite( ref, &e->e_name,
+ &op->o_req_dn, LDAP_SCOPE_DEFAULT );
+ ber_bvarray_free( ref );
+ } else {
+ rs->sr_ref = NULL;
+ }
+ mdb_entry_return( op, e );
+ e = NULL;
}
- mdb_entry_return( op, e );
- e = NULL;
rs->sr_err = LDAP_REFERRAL;
rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED;
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10288
Issue ID: 10288
Summary: autoca Attribute olcAutoCAserverClass
Product: OpenLDAP
Version: 2.6.9
Hardware: All
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: stefan(a)kania-online.de
Target Milestone: ---
I try to add the autoca overlay with the following ldif:
--------------
dn: olcOverlay=autoca,olcDatabase={2}mdb,cn=config
objectClass: olcAutoCAConfig
objectClass: olcOverlayConfig
olcOverlay: autoca
olcAutoCADays: 3652
olcAutoCAKeybits: 4096
olcAutoCAserverClass: ipHost
olcAutoCAserverDays: 1826
olcAutoCAserverKeybits: 4096
olcAutoCAuserClass: person
olcAutoCAuserDays: 365
olcAutoCAuserKeybits: 4096
--------------
ldapadd gives me:
adding new entry "olcOverlay=autoca,olcDatabase={2}mdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcAutoCAserverClass> handler exited with 1
If I remove the attribute from my ldif, it works.
What is wrong with the olcAutoCAserverClass attribute in my ldif? I try to look
it up in the admin handbook but I could not find anything. I looked in the
source code and found:
------------
{ "serverClass", "objectclass", 2, 2, 0,
ARG_STRING|ARG_MAGIC|ACA_SRVCLASS, autoca_cf,
"( OLcfgOvAt:22.2 NAME 'olcAutoCAserverClass' "
"DESC 'ObjectClass of server entries' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
------------
For me it looks the same as the attribute olcAutoCAuserclass.
-------------
{ "userClass", "objectclass", 2, 2, 0,
ARG_STRING|ARG_MAGIC|ACA_USRCLASS, autoca_cf,
"( OLcfgOvAt:22.1 NAME 'olcAutoCAuserClass' "
"DESC 'ObjectClass of user entries' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
-------------
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10020
Issue ID: 10020
Summary: dynlist's @groupOfUniqueNames is considered only for
the first configuration line
Product: OpenLDAP
Version: 2.5.13
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: msl(a)touk.pl
Target Milestone: ---
If we consider the following configuration of dynlist:
{0}toukPerson labeledURI uniqueMember+memberOf@groupOfUniqueNames
{1}groupOfURLs memberURL uniqueMember+dgMemberOf@groupOfUniqueNames
The {0} entry will correctly populate the memberOf relatively to static group
membership.
The {1} entry will produce dgMemberOf with dynamic group membership correctly
(based on memberURL query) but it will not populate static entries IF {0} entry
in configuration is present. IF I remove {0} from the dynlist configuration -
or - remove @groupOfUniqueNames part from this configuration line, then both
dynamic and static entries will be populated correctly for {1}.
So the effects are as follows on some user entry:
if both {0} and {1} are present - {1} produced only dynamic groups:
memberOf: cn=adm,ou=touk,ou=group,dc=touk,dc=pl
memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
dgMemberOf: cn=dyntouk,ou=dyntest,ou=group,dc=touk,dc=pl
if both {0} and {1} are present and @groupOfUniqueNames is removed from {0} -
{1} produced static+dynamic groups:
dgMemberOf: cn=adm,ou=touk,ou=group,dc=touk,dc=pl
dgMemberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
dgMemberOf: cn=dyntouk,ou=dyntest,ou=group,dc=touk,dc=pl
If only {1} is present - {1} produced static+dynamic groups:
dgMemberOf: cn=adm,ou=touk,ou=group,dc=touk,dc=pl
dgMemberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
dgMemberOf: cn=dyntouk,ou=dyntest,ou=group,dc=touk,dc=pl
For completness - if only {0} is present:
memberOf: cn=adm,ou=touk,ou=group,dc=touk,dc=pl
memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
I would expect this behavior to be correct for the first case - {0} and {1}.
memberOf: cn=adm,ou=touk,ou=group,dc=touk,dc=pl
memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
dgMemberOf: cn=dyntouk,ou=dyntest,ou=group,dc=touk,dc=pl
dgMemberOf: cn=adm,ou=touk,ou=group,dc=touk,dc=pl
dgMemberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9934
Issue ID: 9934
Summary: slapd-config(5) should document how to store
certificates for slapd usage
Product: OpenLDAP
Version: 2.5.13
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
Commit 7b41feed83b expanded the ability of cn=config to save the certificates
used for TLS by slapd directly in the config database. However the
documentation for the new parameters was never added to the slapd-config(5) man
page.
olcTLSCACertificate $ olcTLSCertificate $ olcTLSCertificateKey
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10270
Issue ID: 10270
Summary: Issues with pcache when refresh/persistPcache used
Product: OpenLDAP
Version: 2.5.18
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: aweits(a)rit.edu
Target Milestone: ---
Greetings, OpenLDAP-folk.
We've been running with the pcache overlay in 2.5.18
with both query refresh and pcachePersist for a bit
and have observed some oddities:
1.) Negative queries don't get refreshed
2.) Queries don't seem to be persisted
These behaviors are all exhibited from the current
git version as well - code/patches below for clarity
of communication:
Thanks!
Andy
commit c0b4fe92c8df746c0e6a777f93f1687135114eb9
Author: Andrew Elble <aweits(a)rit.edu>
Date: Fri Oct 11 08:43:47 2024 -0400
negative cache entries are not loaded when pcachePersist is on
diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
index 9ef78fd6bf43..9fd72e6d7261 100644
--- a/servers/slapd/overlays/pcache.c
+++ b/servers/slapd/overlays/pcache.c
@@ -802,7 +802,11 @@ url2query(
goto error;
}
- cq = add_query( op, qm, &query, qt, PC_POSITIVE, 0 );
+ if (BER_BVISNULL( &uuid )) {
+ cq = add_query( op, qm, &query, qt, PC_NEGATIVE, 0 );
+ } else {
+ cq = add_query( op, qm, &query, qt, PC_POSITIVE, 0 );
+ }
if ( cq != NULL ) {
cq->expiry_time = expiry_time;
cq->refresh_time = refresh_time;
commit 8f7b50dfcec69fa01f8cf0a4b77f3dee8ef9f0f6
Author: Andrew Elble <aweits(a)rit.edu>
Date: Fri Oct 11 08:38:36 2024 -0400
queries with ttr/x-refresh are not loaded when pcachePersist is on
diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
index 40c1f9673776..9ef78fd6bf43 100644
--- a/servers/slapd/overlays/pcache.c
+++ b/servers/slapd/overlays/pcache.c
@@ -749,7 +749,7 @@ url2query(
}
}
- if ( got != GOT_ALL ) {
+ if ( (got & GOT_ALL) != GOT_ALL) {
rc = 1;
goto error;
}
commit c7e52c90192a43876d40b9776a58db951d27937c
Author: Andrew Elble <aweits(a)rit.edu>
Date: Fri Oct 11 08:37:13 2024 -0400
ttr was not being applied to negatively cached entries
diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
index 1d6e4ba4edcf..40c1f9673776 100644
--- a/servers/slapd/overlays/pcache.c
+++ b/servers/slapd/overlays/pcache.c
@@ -1580,6 +1580,8 @@ add_query(
case PC_NEGATIVE:
ttl = templ->negttl;
+ if ( templ->ttr )
+ ttr = now + templ->ttr;
break;
case PC_SIZELIMIT:
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10331
Issue ID: 10331
Summary: slap* tools should be a little more helpful as to
which command line option was invalid
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
Also why where appropriate.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10327
Issue ID: 10327
Summary: Adding syncprov to cn=config can lock up server
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
As reported on openldap-technical[0], adding syncprov to a cn=config DB can
lock up the server. This happens when syncprov_db_otask is scheduled by
syncprov_db_open.
ITS#9045 has already dealt with this for config_back_entry_get, we can relax
this description and allow a config_back_search do the same. Even though it is
technically on a different thread than the main modification, AFAIK it is still
the only one running as the server is paused and the main modification is
paused waiting for it?
[0].
https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/…
--
You are receiving this mail because:
You are on the CC list for the issue.