Full_Name: Eric Fox Version: 2.3.42 OS: Linux i386 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (208.252.207.30)
Using slapo-rwm can cause slapd to crash when the following conditions occur:
1. overlay rwm is used in slapd.conf before or within a database meta section. 2. The database meta configuration proxies request to a Windows Active Directory server. 3. An Active Directory User object is queried and contains a value of a single blank space in either the "homePhone" or "pager" attribute.
When the "overlay rwm" is removed from the configuration, the assertion does not occur.
-- slapd.conf --
database meta suffix "dc=ad,dc=company,dc=com" uri "ldaps://server.ad.example.com/dc=ad,dc=company,dc=com" suffixmassage "dc=ad,dc=company,dc=com" "dc=ad,dc=example,dc=com"
chase-referrals no
idassert-bind bindmethod="simple" binddn="cn=proxyuser,cn=users,dc=ad,dc=example,dc=com" credentials="secret" mode="none"
overlay rwm
-- client sends --
ldapsearch -x -W -D 'cn=Eric,ou=users,dc=ad,dc=company,dc=com' -b 'ou=users,dc=ad,dc=company,dc=com' '(uid=eric)'
-- slapd asserts --
slapd: attr.c:141: attr_dup: Assertion `j == i' failed.
-- gdb --
gdb ./slapd GNU gdb Red Hat Linux (6.5-37.el5_2.2rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/i686/nosegneg/libthread_db.so.1".
(gdb) r -d0 -h ldap:/// ldaps:/// -f /usr/local/etc/openldap/slapd.conf Starting program: /usr/local/src/openldap/openldap-2.3.42/servers/slapd/slapd -d0 -h ldap:/// ldaps:/// -f /usr/local/etc/openldap/slapd.conf [Thread debugging using libthread_db enabled] [New Thread -1208166704 (LWP 19457)] [New Thread -1223799920 (LWP 19460)] [New Thread -1227998320 (LWP 19461)] [New Thread -1232196720 (LWP 19462)] [New Thread -1236395120 (LWP 19463)] [New Thread -1240593520 (LWP 19464)] slapd: attr.c:141: attr_dup: Assertion `j == i' failed.
Program received signal SIGABRT, Aborted. [Switching to Thread -1232196720 (LWP 19462)] 0x004f1402 in __kernel_vsyscall () (gdb) bt full #0 0x004f1402 in __kernel_vsyscall () No symbol table info available. #1 0x0089ef20 in raise () from /lib/i686/nosegneg/libc.so.6 No symbol table info available. #2 0x008a0901 in abort () from /lib/i686/nosegneg/libc.so.6 No symbol table info available. #3 0x008982fb in __assert_fail () from /lib/i686/nosegneg/libc.so.6 No symbol table info available. #4 0x0807dd03 in attr_dup (a=0x9b659f8) at attr.c:141 j = 0 i = 1 tmp = (Attribute *) 0x9b8d570 __PRETTY_FUNCTION__ = "attr_dup" #5 0x0807ddc8 in attrs_dup (a=0x9b659f8) at attr.c:166 tmp = (Attribute *) 0x9b659b0 next = (Attribute **) 0x9b8d4f4 #6 0x0807e3b4 in entry_dup (e=0xb68e0e98) at entry.c:840 No locals. #7 0x0817d868 in rwm_response (op=0x9b84828, rs=0xb68e21b4) at rwm.c:1380 rwmap = (struct ldaprwmap *) 0x4c06 rc = -10 #8 0x080cc3d2 in over_back_response (op=0x9b84828, rs=0xb68e21b4) at backover.c:237 on = (slap_overinst *) 0x9a01210 rc = 0 be = (BackendDB *) 0xb68e0f9c db = {bd_info = 0x9a01210, be_ctrls = "\000", '\001' <repeats 16 times>, '\0' <repeats 15 times>, "\001", be_flags = 256, be_restrictops = 0, be_requires = 0, be_ssf_set = {sss_ssf = 0, sss_transport = 0, sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0, sss_update_transport = 0, sss_update_tls = 0, sss_update_sasl = 0, sss_simple_bind = 0}, be_suffix = 0x99e4140, be_nsuffix = 0x99e4180, be_schemadn = {bv_len = 0, bv_val = 0x0}, be_schemandn = {bv_len = 0, bv_val = 0x0}, be_rootdn = {bv_len = 0, bv_val = 0x0}, be_rootndn = {bv_len = 0, bv_val = 0x0}, be_rootpw = {bv_len = 0, bv_val = 0x0}, be_max_deref_depth = 15, be_def_limit = {lms_t_soft = 3600, lms_t_hard = 0, lms_s_soft = 500, lms_s_hard = 0, lms_s_unchecked = -1, lms_s_pr = 0, lms_s_pr_hide = 0, lms_s_pr_total = 0}, be_limits = 0x0, be_acl = 0x99fa0d8, be_dfltaccess = ACL_READ, be_replica = 0x0, be_replogfile = 0x0, be_update_ndn = {bv_len = 0, bv_val = 0x0}, be_update_refs = 0x0, be_pending_csn_list = 0x9a9a430, be_pcl_mutex = {__data = { __lock = 0, __count = 0, __owner = 0, __kind = 0, __nusers = 0, {__spins = 0, __list = {__next = 0x0}}}, __size = '\0' <repeats 23 times>, __align = 0}, be_pcl_mutexp = 0x99e49c8, be_syncinfo = 0x0, be_pb = 0x0, be_cf_ocs = 0x0, be_private = 0x99e4a00, be_next = {stqe_next = 0x9a01590}} #9 0x0808416f in slap_send_search_entry (op=0x9b84828, rs=0xb68e21b4) at result.c:717 sc = (slap_callback *) 0xb59dd34c sc_prev = (slap_callback **) 0xb59dd34c sc_next = (slap_callback *) 0x0 berbuf = { buffer = "�\a\034\bD\016\216��\v\216�\000\000\022\204\001\000\000\000�\v\216�\030\000\000\000�\v\216���\231\000�\000\000\000��\215\000�\v\216�\000�\033\bD\016\216�\000\000\000\000\004\000\000\000\r��\t�\177\233\000(\000\000\000�\v\216���\231\000\220U�\t��\215\000@\221\233\000�\v�\t�\v\216�\200,\216\000@\221\233\000�\v�\t("\216�\030\000\000\000�\v\216���\231\000PU\025\b�\177\233\000@\221\233\000�\017�\t\030\f\216�\200,\216\000@\221\233\000�\017�\t�\v�\t\000\000\000\000\030\f\216�|�\031\b\220U�\t�\177\233\000@\221\233\000�Y�\tH\f\216�"..., ialign = 136054759, lalign = 136054759, falign = 4.69538316e-34, dalign = -6.5807878282580064e-46, palign = 0x81c07e7 "\211s\030\211{\b\213]�\213u�\213}�\211�]�\215�"} ber = <value optimized out> a = <value optimized out> i = <value optimized out> j = <value optimized out> rc = 0 edn = <value optimized out> userattrs = <value optimized out> acl_state = {as_recorded = 0, as_vd_acl = 0x0, as_vi_acl = 0x0, as_vd_acl_mask = 0, as_vd_acl_matches = {{rm_so = 0, rm_eo = 0} <repeats 100 times>}, as_vd_acl_count = 0, as_vd_access = 0x0, as_vd_access_count = 0, as_result = 0, as_vd_ad = 0x0} attrsonly = <value optimized out> ad_entry = (AttributeDescription *) 0x99a0968 ---Type <return> to continue, or q <return> to quit--- e_flags = (char **) 0x0 #10 0x080f84f2 in meta_back_search (op=0x9b84828, rs=0xb68e21b4) at search.c:2027 e = {e_id = 0, e_name = {bv_len = 0, bv_val = 0x81f2400 ""}, e_nname = {bv_len = 0, bv_val = 0x81f2400 ""}, e_attrs = 0x9b65590, e_ocflags = 0, e_bv = {bv_len = 0, bv_val = 0x0}, e_private = 0x0} mod = {sm_op = 0, sm_flags = 0, sm_desc = 0x99e39a0, sm_type = {bv_len = 4, bv_val = 0x99ed2b8 "mail"}, sm_values = 0x9b659c8, sm_nvalues = 0x9b659e0} text = 0x0 textbuf = "\003\000\000\000\020\000\000\000\000\000\000\000��\235��\016\216��\r\216�\035�\a\b\f\000\000\000���\t\210\r\216�\000\001\000\000�\016\216�\000\000\000\000\000\000\000\000�F�\t�\r\216�(H�\t�\r\216�w1\034\b��\235����\t\v\000\000\000�F�\t�F�\t�\r\216��\016\216�X\213\t\b�\r\216��\r\216��\016\216��\016\216�@y\233\000\000\000\000\000�\r\216�|�\031\b\225\017\216\000\000\000\001\000\000\000\000\000e", '\0' <repeats 15 times>, "��\235���\235�\000\000\000\000\000\000\000\000���\t\225\017\216\000\v\000\000\0008\016\216��F�\t,"... next = (Attribute *) 0x9b659f8 tap = <value optimized out> ap = <value optimized out> mi = (metainfo_t *) 0x99e4a00 mc = (metaconn_t *) 0x9b47c50 tv = {tv_sec = 0, tv_usec = 100000} stoptime = 1216759554 lastres_time = 1216755954 timeout = <value optimized out> rc = 100 sres = 0 matched = <value optimized out> ncandidates = 1 candidate_match = 0 needbind = <value optimized out> sendok = <value optimized out> i = <value optimized out> dc = {target = 0x99fe348, conn = 0xb70e69e8, ctx = 0x81e6ffa "searchBase", rs = 0xb68e21b4} is_ok = 0 savepriv = <value optimized out> candidates = (SlapReply *) 0x9b4c878 __PRETTY_FUNCTION__ = "meta_back_search" #11 0x080cc5d1 in overlay_op_walk (op=0x9b84828, rs=0xb68e21b4, which=op_search, oi=0x9a01120, on=0x9a01210) at backover.c:650 sc_next = <value optimized out> rc = 32768 #12 0x080cc9bd in over_op_func (op=0x9b84828, rs=0xb68e21b4, which=op_search) at backover.c:702 oi = (slap_overinfo *) 0x9a01120 on = (slap_overinst *) 0x9a01210 be = (BackendDB *) 0x99e48f8 db = {bd_info = 0x8238080, be_ctrls = "\000", '\001' <repeats 16 times>, '\0' <repeats 15 times>, "\001", be_flags = 256, be_restrictops = 0, be_requires = 0, be_ssf_set = {sss_ssf = 0, sss_transport = 0, sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0, sss_update_transport = 0, sss_update_tls = 0, sss_update_sasl = 0, sss_simple_bind = 0}, be_suffix = 0x99e4140, be_nsuffix = 0x99e4180, be_schemadn = {bv_len = 0, bv_val = 0x0}, be_schemandn = {bv_len = 0, bv_val = 0x0}, be_rootdn = {bv_len = 0, bv_val = 0x0}, be_rootndn = {bv_len = 0, bv_val = 0x0}, be_rootpw = {bv_len = 0, bv_val = 0x0}, be_max_deref_depth = 15, be_def_limit = {lms_t_soft = 3600, lms_t_hard = 0, lms_s_soft = 500, lms_s_hard = 0, lms_s_unchecked = -1, lms_s_pr = 0, lms_s_pr_hide = 0, lms_s_pr_total = 0}, be_limits = 0x0, be_acl = 0x99fa0d8, be_dfltaccess = ACL_READ, be_replica = 0x0, be_replogfile = 0x0, be_update_ndn = {bv_len = 0, bv_val = 0x0}, be_update_refs = 0x0, be_pending_csn_list = 0x9a9a430, be_pcl_mutex = {__data = { __lock = 0, __count = 0, __owner = 0, __kind = 0, __nusers = 0, {__spins = 0, __list = {__next = 0x0}}}, __size = '\0' <repeats 23 times>, __align = 0}, be_pcl_mutexp = 0x99e49c8, be_syncinfo = 0x0, be_pb = 0x0, be_cf_ocs = 0x0, be_private = 0x99e4a00, be_next = {stqe_next = 0x9a01590}} cb = {sc_next = 0x0, sc_response = 0x80cc360 <over_back_response>, sc_cleanup = 0, sc_private = 0x9a01120} rc = 0 __PRETTY_FUNCTION__ = "over_op_func" #13 0x0807716f in fe_op_search (op=0x9b84828, rs=0xb68e21b4) at search.c:355 entry = (Entry *) 0x0 bd = (BackendDB *) 0x823f260 ---Type <return> to continue, or q <return> to quit--- #14 0x08077a90 in do_search (op=0x9b84828, rs=0xb68e21b4) at search.c:217 base = {bv_len = 59, bv_val = 0x9ab021f "ou=users,ou=einstein industries,dc=ad,dc=eiinetworks,dc=com"} siz = 0 i = 32 #15 0x080752d2 in connection_operation (ctx=0xb68e2228, arg_v=0x9b84828) at connection.c:1133 curelm = <value optimized out> rc = <value optimized out> rs = {sr_type = REP_SEARCH, sr_tag = 0, sr_msgid = 0, sr_err = 0, sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = { sru_sasl = {r_sasldata = 0xb68e0e98}, sru_extended = {r_rspoid = 0xb68e0e98 "", r_rspdata = 0x21}, sru_search = {r_entry = 0xb68e0e98, r_attr_flags = 33, r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}}, sr_flags = 0} tag = 99 opidx = SLAP_OP_SEARCH conn = (Connection *) 0xb70e69e8 memctx = (void *) 0x9b7e0a0 memctx_null = (void *) 0x0 __PRETTY_FUNCTION__ = "connection_operation" #16 0x0819d923 in ldap_int_thread_pool_wrapper (xpool=0x99a2f30) at tpool.c:478 ctx = (ldap_int_thread_ctx_t *) 0x9aae018 ltc_key = {{ltk_key = 0x80be1e0, ltk_data = 0x9b7e0a0, ltk_free = 0x80bdd50 <slap_sl_mem_destroy>}, {ltk_key = 0x825b894, ltk_data = 0x9b4c7e8, ltk_free = 0x8151430 <meta_back_candidates_keyfree>}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0} <repeats 30 times>} tid = 3062770576 i = 511 hash = <value optimized out> #17 0x009f2482 in start_thread () from /lib/i686/nosegneg/libpthread.so.0 No symbol table info available. #18 0x00948c8e in clone () from /lib/i686/nosegneg/libc.so.6 No symbol table info available. (gdb)
-
ef87@yahoo.com