Full_Name: Neil Dunbar Version: 2.4.21 OS: Debian 5, Ubuntu 9.10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (68.142.115.87)

Hi there,

It looks like there's a small bug in memberof.c - it only manifests itself when "memberof_dangling" is set to "drop". I think that, while the overlay reduces the a->a_vals and a->a_nvals array by one, to strip out a non-existent DN, it needs to reduce the a->a_numvals variable as well.

The end result of this is that if one adds a group which has a mix of members which exist in the DIT, and some which don't, the entry_encode() routing will segfault. [I can only reproduce the segv in back-bdb and back-hdb. back-ldif doesn't seem to exhibit this behaviour].

I've uploaded a tiny slapd.conf and test LDIF file (in ftp://ftp.openldap.org/incoming/memberof-segv-20100407.tar.gz) which is normally enough to trigger the fault. If one starts up slapd via

slapd -f mof-slapd.conf -h ldap://localhost -d trace

followed by

ldapmodify -x -H ldap://localhost -D cn=admin,dc=test -w adminpw -f ldif/test-memberof.ldif

one should see an assertion fail in entry_encode() with (i == a->a_numvals) failing.

The following patch seems to fix it, but I haven't done real regression testing to see if it rolls other errors. The normal slapd unit tests seem to yield proper results though.

---8<----8<------ --- memberof.c.orig 2010-04-07 16:49:44.000000000 -0700 +++ memberof.c 2010-04-07 16:49:20.000000000 -0700 @@ -580,6 +580,7 @@ sizeof( struct berval ) * ( j - i ) ); } i--; + a->a_numvals--; } } ---8<----8<------

Hope this helps,

Neil