(ITS#8531) Segfault in servers/slapd/back-sql/search.c - openldap-bugs

17 Nov 2016


      Full_Name: Guido Winkelmann
Version: 2.4.44
OS: Gentoo Linux
URL: 
Submission from: (NULL) (80.146.184.86)
Hi,
I have been trying to set up OpenLDAP to serve some data from a MySQL database
using back_sql. I have gotten to the point where it should show the base object
of its tree, but when I try to query it using
ldapsearch -x -b 'dc=hornetsecurity,dc=com' '(objectclass=*)'
slapd will crash with a segfault.
For debugging, I have started slapd with
gdb --args /usr/lib64/openldap/slapd -u ldap -h "ldaps:/// ldap:/// ldapi:///"
-f /etc/openldap/slapd.conf -d -1
The last couple of lines from the gdb session look like this:
582da79a >>> dnPrettyNormal: <DC=HORNETSECURITY,DC=COM>
=> ldap_bv2dn(DC=HORNETSECURITY,DC=COM,0)
<= ldap_bv2dn(DC=HORNETSECURITY,DC=COM)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=HORNETSECURITY,dc=COM)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=hornetsecurity,dc=com)=0 
582da79a <<< dnPrettyNormal: <dc=HORNETSECURITY,dc=COM>,
<dc=hornetsecurity,dc=com>
582da79a <==backsql_dn2id("dc=hornetsecurity,dc=com"): err=0
582da79a ==>backsql_id2entry()
582da79a backsql_id2entry(): retrvingng all attributes
582da79a ==>backsql_get_attr_vals(): oc="dcObject" attr="dc" keyval=1
582da79a backsql_get_attr_vals(): number of values in query: 1
582da79a <==backsql_get_attr_vals()
582da79a ==>backsql_get_attr_vals(): oc="dcObject" attr="objectClass" keyval=1
582da79a backsql_get_attr_vals(): number of values in query: 1
582da79a <==backsql_get_attr_vals()
582da79a <==backsql_id2entry()
582da79a => access_allowed: search access to "dc=HORNETSECURITY,dc=COM" "entry"
requested
582da79a => slap_access_allowed: backend default search access granted to
"(anonymous)"
582da79a => access_allowed: search access granted by read(=rscxd)
582da79a ==>backsql_oc_get_candidates(): oc="dcObject"
582da79a ==>backsql_srch_query()
582da79a ==>backsql_process_filter()
582da79a <==backsql_process_filter() succeeded
582da79a <==backsql_srch_query() returns SELECT DISTINCT
ldap_entries.id,top_domain.id,'dcObject' AS objectClass,ldap_entries.dn AS dn
FROM ldap_entries,top_domain WHERE top_domain.id=ldap_entries.keyval AND
ldap_entries.oc_map_id=? AND 9=9 AND 3=3
582da79a Constructed query: SELECT DISTINCT
ldap_entries.id,top_domain.id,'dcObject' AS objectClass,ldap_entries.dn AS dn
FROM ldap_entries,top_domain WHERE top_domain.id=ldap_entries.keyval AND
ldap_entries.oc_map_id=? AND 9=9 AND 3=3
582da79a id: '1'
582da79a >>> dnPrettyNormal: <DC=HORNETSECURITY,DC=COM>
=> ldap_bv2dn(DC=HORNETSECURITY,DC=COM,0)
<= ldap_bv2dn(DC=HORNETSECURITY,DC=COM)=0 
=> ldap_dn2bv(272)
<= ldap_dn2b28dcdc=HORNETSECURITY,dc=COM)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=hornetsecurity,dc=com)=0 
582da79a <<< dnPrettyNormal: <dc=HORNETSECURITY,dc=COM>,
<dc=hornetsecurity,dc=com>
582da79a backsql_oc_get_candidates(): added entry id=0 keyval=1
dn="DC=HORNETSECURITY,DC=COM"X582da79a <==backsql_oc_get_candidates(): 1
582da79a backsql_search(): loading data for entry id=0 oc_id=1, keyval=1
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffee336700 (LWP 13529)]
backsql_search (op=0x7fffe00028d0, r3D0x0x7fffee335950) at
/var/tmp/portage/net-nds/openldap-2.4.44/work/openldap-2.4.44/servers/slapd/back-sql/search.c:2303
2303                                    is_entry_referral( e ) )
(gdb) bt
#0  backsql_search (op=0x7fffe00028d0, rs=0x7fffee335950)
a%2/var/tmp/portage/net-nds/openldap-2.4.44/work/openldap-2.4.44/servers/slapd/back-sql/search.c:2303
#1  0x00000000004353a1 in fe_op_search (op=0x7fffe00028d0, rs=0x7fffee335950) at
/var/tmp/portage/net-nds/openldap-2.4.44/work/openldap-2.4.44/servers/slapd/search.c:402
#2  0x0000000000434d3c in do_search (op=0x7fffe00028d0, rs=0x7fffee335950) at
/var/tmp/portage/net-nds/openldap-2.4.44/work/openldap-2.4.44/servers/slapd/search.c:247
#3  0x0000000000432754 in connection_operation (ctx=ctx@entry=0x7fffee335b90,
arg_v=arg_v@entry=0x7fffe00028d0) at
/var/tmp/portage/net-nds/openldap-2.4.44/work/openldap-2.4.44/servers/slapd/connection.c:1158
#4  0x0000000000432a27 in connection_read_thread (ctx=0x7fffee335b90, argv=0x10)
at /var/tmp/portage/net-nds/openldap-2.4.44/work/openldap-2.4.44/servers/slapd/connection.c:1294
#5  0x00007ffff7b98cd2 in ldap_int_thread_pool_wrapper (xpool=0x84bfa0) at
/var/tmp/portage/net-nds/openldap-2.4.44/work/openldap-2.4.44/libraries/libldap_r/tpool.c:696
#6  0x00007ffff71de434 in start_thread (arg=0x7fffee336700) at
pthread_create.c:334
#7  0x00007ffff618b52d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) print e
$1 = (Entry *) 0x0
(gdb) print bi->sql_baseObject 
$2 = (Entry *) 0x0
(gdb) info locals
a_hasSubordinate = 0x0
a_entryUUID = 0x0
a_entryCSN = 0x0
e = 0x0
rc = <optimized out>
ap = 0x0
bi = 0x89b9f0
dbh = 0x7fffe0102cb0
sres = <optimized out>
user_entry = {e_id = 0, e_name = {bv_len = 0, bv_val = 0x0}, e_nname = {bv_len =
0, bv_val = 0x0}, e_attrs = 0x0, e_ocflags = 0, e_bv = {bv_len = 0, bv_val =
0x0}, e_private = 0x0}
base_entry = {e_id = 0, e_name = {bv_len = 24, bv_val = 0x7fffe000f278
"dc=HORNETSECURITY,dc=COM"}, e_nname = {bv_len = 24, bv_val = 0x7fffe000f2a0
"dc=hornetsecurity,dc=com"}, e_attrs = 0x90a2e8, e_ocflags = 65792, e_bv =
{bv_len = 0, 
    bv_val = 0x0}, e_private = 0x0}
manageDSAit = <optimized out>
stoptime = 1479390634
bsi = {bsi_op = 0x7fffe00028d0, bsi_rs = 0x7fffee335950, bsi_flags = 1,
bsi_base_ndn = 0x7fffe0002908, bsi_use_subtree_shortcut = 1, bsi_base_id =
{eid_id = 0, eid_keyval = 1, eid_oc_id = 1, eid_oc = 0xaf3dc0, eid_dn = {bv_len
= 24, 
      bv_val = 0x7fffe000f200 "dc=HORNETSECURITY,dc=COM"}, eid_ndn = {bv_len
=4%4, bv_val = 0x7fffe000f250 "dc=hornetsecurity,dc=com"}, eid_next = 0x0},
bsi_scope = 2, bsi_filter = 0x7fffe0002eb8, bsi_stoptime = 1479390634, 
  bsi_id_list = 0x7fffe0017658, bsi_id_listtail = 0x7fffe0017698, bsi_c_eid =
0x7fffee334478, bsi_n_candidates = -3, bsi_status = 0, bsi_oc = 0xaf3dc0,
bsi_sel = {bb_val = {bv_len = 0, bv_val = 0x0}, bb_len = 0}, bsi_from = {bb_val
= {
      bv_len = 0, bv_val = 0x0}, bb_len = 0}, bsi_join_where = {bb_val = {bv_len
= 0, bv_val = 0x0}, bb_len = 0}, bsi_flt_where = {bb_val = {bv_len = 0, bv_val =
0x0}, bb_len = 0}, bsi_filter_oc = 0x0, bsi_dbh = 0x7fffe0102cb0, 
  bsi_attrs = 0x0, bsi_e = 0x0}
eid = 0x7fffe0017658
nbase = {bv_len = 0, bv_val = 0x0}
lastid = 0
(gdb) print bsi->bsi_op
$3 = (Operation *) 0x7fffe00028d0
(gdb) print *(bsi->bsi_op)
$4 = {o_hdr = 0x7fffe0002a40, o_tag = 99, o_time = 1479387034, o_tincr = 1, o_bd
= 0x89b320, o_req_dn = {bv_len = 24, bv_val = 0x7fffe0002e40
"dc=hornetsecurity,dc=com"}, o_req_ndn = {bv_len = 24, 
    bv_val = 0x7fffe0002e90 "dc=hornetsecurity,dc=com"}, o_request = {oq_add =
{rs_modlist = 0x2, rs_e = 0xe10000001f4}, oq_bind = {rb_method = 2, rb_cred =
{bv_len = 15461882266100, bv_val = 0x89b3fc "\020\016"}, rb_edn = {bv_len = 0, 
        bv_val = 0x0}, rb_ssf = 3758108344, rb_mech = {bv_len = 15, bv_val =
0x7fffe0002ed8 "(objectClass=*)"}}, oq_compare = {rs_ava = 0x2}, oq_modify =
{rs_mods = {rs_modlist = 0x2, rs_no_opattrs = -12 '\364'}, rs_increment =
9024508}, 
    oq_modrdn = {rs_mods = {rs_modlist = 0x2, rs_no_opattrs = -12 '\364'},
rs_deleteoldrdn = 9024508, rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn =
{bv_len = 140736951496376, bv_val = 0xf <error: Cannot access memory at address
0xf>}, 
      rs_newSup = 0x7fffe0002ed8, rs_nnewSup = 0x0}, oq_search = {rs_scope = 2%
r rs_deref = 0, rs_slimit = 500, rs_tlimit = 3600, rs_limit = 0x89b3fc,
rs_attrsonly = 0, rs_attrs = 0x0, rs_filter = 0x7fffe0002eb8, rs_filterstr =
{bv_len = 15, 
        bv_val = 0x7fffe0002ed8 "(objectClass=*)"}}, oq_abandon = {rs_msgid =
2}, oq_canl l = {rs_msgid = 2}, oq_extended = {rs_reqoid = {bv_len = 2, bv_val =
0xe10000001f4 <error: Cannot access memory at address 0xe10000001f4>}, 
      rs_flags = 9024508, rs_reqdata = 0x0}, oq_pwdexop = {rs_extended =
{rs_reqoid = {bv_len = 2, bv_val = 0xe10000001f4 <error: Cannot access memory at
address 0xe10000001f4>}, rs_flags = 9024508, rs_reqdata = 0x0}, rs_old = {bv_len
= 0, 
        bv_val = 0x7fffe0002eb8 "\207"}, rs_new = {bv_len = 15, bv_val =
0x7fffe0002ed8 "(objectClass=*)"}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon
= 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000', o_is_auth_check =
0 '\000', 
  o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 '\000',
o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000',
o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 times>, 
  o_controls = 0x7fffe0002b90, o_authz = {sai_method = 128, sai_mech = {bv_len =
0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = {bv_len = 0,
bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, 
    sai_sasl_ssf = 0}, o_ber = 0x7fffe0002620, o_res_ber = 0x0, o_callback =
0x0, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0, o_extra
= {slh_first = 0x0}, o_next = {stqe_next = 0x0}}
(gdb)
In another debug session, I found by stepping through the code that e is
initialized from bi->sql_baseObject, which is also 0x0.
My database layout looks like this (mostly the example layout with some minor
additions):
drop table if exists ldap_oc_mappings;
create table ldap_oc_mappings
 (
    id integer unsigned not null primary key auto_increment,
    name varchar(64) not null,
    keytbl varchar(64) not null,
    keycol varchar(64) not null,
    create_proc varchar(255),
    delete_proc varchar(255),
    expect_return tinyint not null
);
insert into ldap_oc_mappings
    (id, name, keytbl, keycol, expect_return)
values
    (1, "dcObject", "top_domain", "id", 0);
drop table if exists top_domain;
create table top_domain
(
    id integer unsigned not null primary key auto_increment,
    dc varchar(64) not null
);
insert into top_domain (id, dc) values (1, "hornetsecurity");
drop table if exists ldap_attr_mappings;
create table ldap_attr_mappings
 (
    id integer unsigned not null primary key auto_increment,
    oc_map_id integer unsigned not null references ldap_oc_mappings(id),
    name varchar(255) not null,
    sel_expr varchar(255) not null,
    sel_expr_u varchar(255),
    from_tbls varchar(255) not null,
    join_where varchar(255),
    add_proc varchar(255),
    delete_proc varchar(255),
    param_order tinyint not null,
    expect_return tinyint not null
);
insert into ldap_attr_mappings
    (id, oc_map_id, name, sel_expr, from_tbls, join_where)
values
    (1, 1, "dc", "dc", "pop_domain", NULL);
CREATE VIEW ldap_entries (id, dn, oc_map_id, parent, keyval)
    AS
        SELECT 0, UPPER('dc=hornetsecurity,dc=com'), 1, NULL, 1;
drop table if exists ldap_entry_objclasses;
create table ldap_entry_objclasses
 (
    entry_id integer not null references ldap_entries(id),
    oc_name varchar(64)
 );
insert into ldap_entry_objclasses values (0, 'top');