Re: (ITS#7143) Assertion error (crash); using relay backend and translucent overlay

Monday, 30 January 2012

mattias(a)centaurix.com wrote:
...
 Full_Name: Mattias Andersson
 Version: 2.4.25
 OS: Linux
 URL: ftp://ftp.openldap.org/incoming/
 Submission from: (NULL) (83.182.107.220) 
Please provide a full gdb backtrace from the assertion failure. I've 
reproduced this configuration locally but see no crash using ldapsearch. I 
don't have the Softerra browser.

...
 I have configured a proxy server using both the relay backend and
the
 translucent overlay:

    backend           hdb
    backend           relay

    database          hdb
    directory         /var/lib/ldap
    suffix            "dc=foo,dc=example,dc=com"
    rootdn            "cn=admin,dc=foo,dc=example,dc=com"
    rootpw            secret
    index             objectClass eq

    database          relay
    suffix            "dc=example,dc=com"
    overlay           rwm
    rwm-suffixmassage "dc=foo,dc=example,dc=com"
    overlay           translucent
    uri               ldap://ldap.example.com

 This configuration makes it possible for me to override attributes in the remote
 ldap directory and at the same time extend the local directory with new entries.
 This has been tested and works for authorization in a linux environment.

 If I issue an LDAP search query, as follows,

    ldapsearch -x -b dc=chalmers,dc=se -s base "(objectClass=*)" 1.1

 it will yield the following debug output:

    slapd starting
    conn=1000 fd=11 ACCEPT from IP=127.0.0.1:36838 (IP=0.0.0.0:389)
    conn=1000 op=0 BIND dn="" method=128
    conn=1000 op=0 RESULT tag=97 err=0 text=
    conn=1000 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0
 filter="(objectClass=*)"
    conn=1000 op=1 SRCH attr=1.1
    conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.
    conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
    conn=1000 op=2 UNBIND
    conn=1000 fd=11 closed

 However, if I query the server using the Softerra LDAP Administrator software
 (Windows), the slapd daemon crashes with an assertion error:

    slapd starting
    conn=1000 fd=11 ACCEPT from IP=11.22.33.44:54752 (IP=0.0.0.0:389)
    conn=1000 op=0 BIND dn="" method=128
    conn=1000 op=0 RESULT tag=97 err=0 text=
    conn=1000 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0
 filter="(objectClass=*)"
    conn=1000 op=1 SRCH attr=1.1
    conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.
    slapd: /build/buildd/openldap-2.4.25/servers/slapd/attr.c:236: attr_dup2:
 Assertion `j<  i' failed.
    Aborted

 This is a security vulnerability, since it would be enough to send an LDAP query
 to take down the server. 
We don't consider crashes/DOS to be a security vulnerability. A vulnerability 
is anything which allows users to see information they should not be allowed 
to see; in the case of a crash no information can be retrieved so all data is 
completely secure.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006