(ITS#7850) slapd crashes on modrdn to an attr with no equality matching rule - openldap-bugs

8 May 2014


      Full_Name: Ryan Tandy
Version: HEAD
OS: Ubuntu 14.04
URL: 
Submission from: (NULL) (142.32.208.226)
Debian bug report: http://bugs.debian.org/666515
Confirmed on master (at commit fcdd3a06) and RE24 (at commit 1253d7c1).
ldapadd or slapadd of an entry with a naming attribute such as 'audio' or
'jpegPhoto' is rejected with a reasonable error message:
$ slapadd
dn: jpegPhoto=test,dc=example,dc=com
objectClass: inetOrgPerson
slapadd: dn="jpegPhoto=test,dc=example,dc=com" (line=1): (64) naming attribute
'jpegPhoto' has no equality matching rule
However, creating an entry with a valid DN and using ldapmodrdn to request a
change of the naming attr to 'jpegPhoto' crashes slapd:
$ slapadd
dn: cn=Ryan Tandy,dc=example,dc=com
objectClass: inetOrgPerson
sn: Tandy
jpegPhoto: test
$ [start slapd...]
$ ldapmodrdn -x -D cn=root,dc=example,dc=com -W 'cn=Ryan
Tandy,dc=example,dc=com' 'jpegPhoto=test'
Enter LDAP Password: 
ldap_result: Can't contact LDAP server (-1)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffd81a60700 (LWP 9095)]
0x00000000004667f3 in slap_modrdn2mods (op=0x7ffd740026b0, rs=0x7ffd81a5faf0) at
modrdn.c:448
448			if( desc->ad_type->sat_equality->smr_normalize) {
(gdb) bt full
#0  0x00000000004667f3 in slap_modrdn2mods (op=0x7ffd740026b0,
rs=0x7ffd81a5faf0) at modrdn.c:448
        desc = 0x9add80
        mod_tmp = 0x7ffd74002670
        a_cnt = 0
        d_cnt = 32765
        old_rdn = 0x0
        new_rdn = 0x7ffd74003090
        __PRETTY_FUNCTION__ = "slap_modrdn2mods"
#1  0x0000000000465688 in do_modrdn (op=0x7ffd740026b0, rs=0x7ffd81a5faf0) at
modrdn.c:179
        dn = {bv_len = 31, bv_val = 0x7ffd74102c77 "cn=Ryan
Tandy,dc=example,dc=com"}
        newrdn = {bv_len = 14, bv_val = 0x7ffd74102c98 "jpegPhoto=test"}
        newSuperior = {bv_len = 0, bv_val = 0x0}
        deloldrdn = 0
        pnewSuperior = {bv_len = 0, bv_val = 0x0}
        nnewSuperior = {bv_len = 0, bv_val = 0x0}
        length = 0
#2  0x000000000044029f in connection_operation (ctx=0x7ffd81a5fc40,
arg_v=0x7ffd740026b0) at connection.c:1134
        rc = 80
        cancel = 0
        op = 0x7ffd740026b0
        rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, 
          sr_ctrls = 0x0, sr_un = {sru_search = {r_entry = 0x0, r_attr_flags =
0, r_operational_attrs = 0x0, r_attrs = 0x0, 
              r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0},
sru_extended = {r_rspoid = 0x0, r_rspdata = 0x0}}, 
          sr_flags = 0}
        tag = 108
        opidx = SLAP_OP_MODRDN
        conn = 0x7ffff7e6ae90
        memctx = 0x7ffd74002bf0
        memctx_null = 0x0
        memsiz = 1048576
        __PRETTY_FUNCTION__ = "connection_operation"
#3  0x00000000004408f8 in connection_read_thread (ctx=0x7ffd81a5fc40, argv=0x10)
at connection.c:1270
        rc = 0
        cri = {op = 0x7ffd740026b0, func = 0x0, arg = 0x0, ctx = 0x7ffd81a5fc40,
nullop = 0}
        s = 16
#4  0x00007ffff7b89e5e in ldap_int_thread_pool_wrapper (xpool=0x7fa480) at
tpool.c:945
        pq = 0x7fa480
        pool = 0x7fa370
        task = 0x7ffd7c0008c0
        work_list = 0x7fa4f0
        ctx = {ltu_pq = 0x7fa480, ltu_id = 140726778595072, ltu_key = {{ltk_key
= 0x43fd34 <conn_counter_init>, 
              ltk_data = 0x7ffd74002ae0, ltk_free = 0x43fb86
<conn_counter_destroy>}, {ltk_key = 0x4b9a08 <slap_sl_mem_init>, 
              ltk_data = 0x7ffd74002bf0, ltk_free = 0x4b982d
<slap_sl_mem_destroy>}, {ltk_key = 0x45c06b <slap_op_free>, 
              ltk_data = 0x0, ltk_free = 0x45bfbe <slap_op_q_destroy>}, {ltk_key
= 0x0, ltk_data = 0x0, 
              ltk_free = 0x0} <repeats 23 times>, {ltk_key = 0x0, ltk_data =
0xe81b289de6cb1252, ltk_free = 0x80}, {ltk_key = 0x0, 
              ltk_data = 0x0, ltk_free = 0x0}, {ltk_key = 0x0, ltk_data = 0x0,
ltk_free = 0x0}, {ltk_key = 0x0, ltk_data = 0x0, 
              ltk_free = 0x0}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0},
{ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0}}}
        kctx = 0x0
        i = 32
        keyslot = 586
        hash = 2858034762
        pool_lock = 0
        freeme = 0
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#5  0x00007ffff5dbf062 in start_thread (arg=0x7ffd81a60700) at
pthread_create.c:312
        __res = <optimized out>
        pd = 0x7ffd81a60700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140726778595072,
1720423256181903954, 1, 140737354125408, 0, 140726778595072, 
                -1721737773892038062, -1720445005621816750}, mask_was_saved =
0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#6  0x00007ffff5af2bfd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.
The problem is a dereference of the missing equality rule:
(gdb) p desc->ad_type 
$1 = (AttributeType *) 0x83ec70
(gdb) p desc->ad_type->sat_equality
$2 = (MatchingRule *) 0x0