requate@univention.de wrote:

Full_Name: Arvid Requate Version: 2.4.45 OS: UCS / Debian Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (92.210.162.23)

In our CI tests we observed a situation where the slapd-mdb failed to start, terminating due to a "bus error" and slapcat showed the same behaviour. I turned out that the data.mdb file had an "Attribute;option" string right at the end of it and strchrlen tried to access a memory location past the end of the page while scanning for another ';', see stack trace down below.

Thanks for the report, fix applied to master.

This patch fixed the issue for us:

Author: Arvid Requate requate@univention.de Date: Tue Dec 3 23:33:10 2019 +0100

Avoid bus error with slapd-mdb/slapcat

diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c index 801f18d34..31a94a725 100644 --- a/servers/slapd/ad.c +++ b/servers/slapd/ad.c @@ -145,7 +145,7 @@ static char *strchrlen( { const char *p;

•   for( p=beg; *p && p < end; p++ ) {
  

•   for( p=beg; p < end && *p; p++ ) {
            if( *p == ch ) {
                    *len = p - beg;
                    return (char *) p;
  

=========================================================

This is the stack trace:

$ gdb slapcat bt #0 0x00005555555d0dc4 in strchrlen (len=<synthetic pointer>, ch=59 ';', end=0x7fff6bd62000 <error: Cannot access memory at address 0x7fff6bd62000>, beg=0x7fff6bd61ff5 "entry-de-de"<error: Cannot access memory at address 0x7fff6bd62000>) at ../../../../servers/slapd/ad.c:148 #1 slap_bv2ad (bv=bv@entry=0x7fffffffdbe0, ad=ad@entry=0x7fffffffdbb8, text=text@entry=0x7fffffffdbb0) at ../../../../servers/slapd/ad.c:224 #2 0x00007fffee70e043 in mdb_ad_read (mdb=mdb@entry=0x555555a58240, txn=<optimized out>) at ../../../../../servers/slapd/back-mdb/attr.c:573 #3 0x00007fffee6fe4ad in mdb_db_open (be=0x7fffffffdd90, cr=0x7fffffffdf80) at ../../../../../servers/slapd/back-mdb/init.c:263 #4 0x00005555555fa601 in over_db_open (be=<optimized out>, cr=0x7fffffffdf80) at ../../../../servers/slapd/backover.c:149 #5 0x000055555559a317 in backend_startup_one (be=be@entry=0x555555a580a0, cr=cr@entry=0x7fffffffdf80) at ../../../../servers/slapd/backend.c:224 #6 0x000055555559a4cb in backend_startup (be=be@entry=0x555555a580a0) at ../../../../servers/slapd/backend.c:278 #7 0x00005555555bc0e1 in slap_startup (be=0x555555a580a0) at ../../../../servers/slapd/init.c:219 #8 0x00005555555ffc84 in slap_tool_init (progname=progname@entry=0x55555561d2c1 "slapcat", tool=tool@entry=2, argc=<optimized out>, argv=<optimized out>) at ../../../../servers/slapd/slapcommon.c:908 #9 0x00005555555fec90 in slapcat (argc=<optimized out>, argv=<optimized out>) at ../../../../servers/slapd/slapcat.c:53 #10 0x0000555555570867 in main (argc=1, argv=0x7fffffffe568) at ../../../../servers/slapd/main.c:410 =========================================================