Re: (ITS#7143) Assertion error (crash); using relay backend and translucent overlay - openldap-bugs

30 Jan 2012


      mattias@centaurix.com wrote:
...
Full_Name: Mattias Andersson
Version: 2.4.25
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (83.182.107.220)
Please provide a full gdb backtrace from the assertion failure. I've 
reproduced this configuration locally but see no crash using ldapsearch. I 
don't have the Softerra browser.
...
I have configured a proxy server using both the relay backend and the
translucent overlay:
backend           hdb
   backend           relay
database          hdb
   directory         /var/lib/ldap
   suffix            "dc=foo,dc=example,dc=com"
   rootdn            "cn=admin,dc=foo,dc=example,dc=com"
   rootpw            secret
   index             objectClass eq
database          relay
   suffix            "dc=example,dc=com"
   overlay           rwm
   rwm-suffixmassage "dc=foo,dc=example,dc=com"
   overlay           translucent
   uri               ldap://ldap.example.com
This configuration makes it possible for me to override attributes in the remote
ldap directory and at the same time extend the local directory with new entries.
This has been tested and works for authorization in a linux environment.
If I issue an LDAP search query, as follows,
ldapsearch -x -b dc=chalmers,dc=se -s base "(objectClass=*)" 1.1
it will yield the following debug output:
slapd starting
   conn=1000 fd=11 ACCEPT from IP=127.0.0.1:36838 (IP=0.0.0.0:389)
   conn=1000 op=0 BIND dn="" method=128
   conn=1000 op=0 RESULT tag=97 err=0 text=
   conn=1000 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0
filter="(objectClass=*)"
   conn=1000 op=1 SRCH attr=1.1
   conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.
   conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
   conn=1000 op=2 UNBIND
   conn=1000 fd=11 closed
However, if I query the server using the Softerra LDAP Administrator software
(Windows), the slapd daemon crashes with an assertion error:
slapd starting
   conn=1000 fd=11 ACCEPT from IP=11.22.33.44:54752 (IP=0.0.0.0:389)
   conn=1000 op=0 BIND dn="" method=128
   conn=1000 op=0 RESULT tag=97 err=0 text=
   conn=1000 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0
filter="(objectClass=*)"
   conn=1000 op=1 SRCH attr=1.1
   conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.
   slapd: /build/buildd/openldap-2.4.25/servers/slapd/attr.c:236: attr_dup2:
Assertion `j<  i' failed.
   Aborted
This is a security vulnerability, since it would be enough to send an LDAP query
to take down the server.
We don't consider crashes/DOS to be a security vulnerability. A vulnerability 
is anything which allows users to see information they should not be allowed 
to see; in the case of a crash no information can be retrieved so all data is 
completely secure.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/