Ubuntu
openldap package

crash in slap_bv2ad using repeated tags

Bug #1593378 reported by Eric Desrochers on 2016-06-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openldap (Ubuntu)	Fix Released	Medium	Eric Desrochers
	Trusty	Fix Released	Medium	Eric Desrochers

Bug Description

[SRU JUSTIFICATION]

[Impact]

The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.

GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...

(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...

In frame #1 the 'tags' struct is corrupt.

Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.

[Test Case]

One way to reproduce the issue :

$ ldapsearch -D "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>" -x -W -b "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>" "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"

Explanation :

Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch

-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.

-x
Use simple authentication instead of SASL.

-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.

-b searchbase
Use searchbase as the starting point for the search instead of the default.

[Regression Potential]

The patch is already in place in Debian & Wily and late Ubuntu release version.

A hotfix has been tested by the user that originally reported the issue.
The hotfix solves the issue.

[Other Info]

Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9

Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags

Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0

(The commit has been introduced first in upstream branch : OPENLDAP_REL_ENG_2_4_40~6)

[Original Description]

Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

See original description

Tags:

Revision history for this message

Eric Desrochers (slashd) wrote on 2016-06-16:

I think this upstream commit could be a possible candidate to fix that issue :

commit 0659ef45d486b5daaafc020cb67b561a8029036d
Author: Howard Chu <email address hidden>
Date: Thu Sep 18 00:33:33 2014 +0100

ITS#7941 fix for repeated tags

Make sure ntags isn't incremented if we're skippnig the tag

diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
index 78a8b15..246b900 100644
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@@ -271,6 +271,7 @@ int slap_bv2ad(

                                if( rc == 0 && (unsigned)optlen == tags[i].bv_len ) {
                                        /* duplicate (ignore) */
+ ntags--;
                                        goto done;

} else if ( rc > 0 ||

Eric Desrochers (slashd) on 2016-06-16

Changed in openldap (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Eric Desrochers (slashd) wrote on 2016-06-16:

line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found.

The code increases 'ntags' without filling in the tags struct with values.
In later iterations this could lead to copying and using uninitialised memory.

Eric Desrochers (slashd) on 2016-06-17

Changed in openldap (Ubuntu):
assignee:	nobody → Eric Desrochers (slashd)

Revision history for this message

Eric Desrochers (slashd) wrote on 2016-06-17:

Download full text (13.9 KiB)

In frame #1

(gdb) p tags
$2 = {{bv_len = 7, 
    bv_val = 0x7f672c104866 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c10486e "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c10488a "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c104880 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c10489c "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c1048a4 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c1048c0 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c1048b6 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 2, bv_val = 0x7f6741e0df70 "240.0.0.2"}, {bv_len = 7, 
    bv_val = 0x7f672c1048d2 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c1048da "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c1048f6 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c1048ec "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c104908 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c104910 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c10492c "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c104922 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 140081463615264, bv_val = 0x7f67495df48b <__GI_getaddrinfo+1915> "H\213\205\300\376\377\377H\205\300\017\204\216\001"}, {bv_len = 7, 
    bv_val = 0x7f672c10493e "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c104946 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 140081589971545, bv_val = 0x7f67495594ea <_IO_vfprintf_internal+2042> "H\213\225\060\373\377\377Hǅ\b\373\377\377"}, {bv_len = 7, 
    bv_val = 0x7f672c104962 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c104958 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c104974 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c10497c "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
    bv_val = 0x7f672c104998 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9, 
    bv_val = 0x7f672c10498e "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 140081097628496, bv_val = 0x7f674aedd43b ""}, {bv_len = 7, 
    bv_val = 0x7f672c1049aa "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;"}, {bv_len = 9, 
    bv_val = 0x7f672c1049b2 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;"}, {bv_len = 140081097623578, bv_val = 0xa32e <error: Cannot access memory at address 0xa32e>}, {bv_len = 0, bv_val = 0x0}, {bv_len = 140081463615328, 
    bv_val = 0x75 <error: Cannot access memory at address 0x75>}, {bv_len = 9007199254740995, bv_val = 0x7f6741e0df10 "\n"}, {bv_len = 0, bv_val = 0x7f674968ea59 <fmt> "%u.%u.%u.%u"}, {
    bv_len = 140081097623583, bv_val = 0xfffffffffffffffb <error: Cannot access memory at address 0xfffffffffffffffb>}, {bv_len = 42949672960, 
    bv_val = 0xa32e <error: Cannot access memory at address 0xa32e>}, {bv_len = 0, bv_val = 0x0}, {bv_len = 0, bv_val = 0x7f6741e0e3a3 "Kg\177"}, {bv_len = 0, bv_val = 0x0}, {bv_len = 0, bv_val = 0x0}, {
    bv_len = 0, bv_val = 0x7f674abf4816 <do_lookup_x+2342> "H\205\300L\213L$\bL\213D$(L\213\\$0\017\205t\370\377\377H\213T$ H\213t$\020\213\n\351y\377\377\377H\215\rs \001"}, {
    bv_len = 18446744073709551615, bv_val = 0x7f672c105b50 "\200^\020,g\177"}, {bv_len = 0, bv_val = 0x0}, {bv_len = 140081097623568, bv_val = 0xa <error: Cannot access memory at address 0xa>}, {
    bv_len = 140081097623578, bv_val = 0x7f67495df9a8 <__GI_freeaddrinfo+40> "H\205\355u\343H\203\304\b[]\303H\215=\365\t/"}, {bv_len = 10, bv_val = 0x0}, {bv_len = 0, 
    bv_val = 0x7f674a367cee "\351f\377\377\377\017\037D"}, {bv_len = 140081463616388, bv_val = 0x7f672c105b50 "\200^\020,g\177"}, {bv_len = 5, bv_val = 0x1 <error: Cannot access memory at address 0x1>}, 
  {bv_len = 0, bv_val = 0x0}, {bv_len = 0, bv_val = 0x0}, {bv_len = 3328210909095015474, bv_val = 0x7f0031330032 <error: Cannot access memory at address 0x7f0031330032>}, {bv_len = 140081463616388, 
    bv_val = 0x7f6741e0e384 ""}, {bv_len = 140081463616388, bv_val = 0x7f6741e0e389 ""}, {bv_len = 140081463616960, bv_val = 0x7f6741e0e5b0 ""}, {bv_len = 140081588719657, 
    bv_val = 0x7f674aedf314 "=*)"}, {bv_len = 140081615467279, bv_val = 0x7f67495594ea <_IO_vfprintf_internal+2042> "H\213\225\060\373\377\377Hǅ\b\373\377\377"}, {bv_len = 0, bv_val = 0x0}, {
    bv_len = 18409949472, bv_val = 0x2a10a06 <error: Cannot access memory at address 0x2a10a06>}, {bv_len = 140081463558144, bv_val = 0x0}, {bv_len = 140081463615792, 
---Type <return> to continue, or q <return> to quit---
    bv_val = 0x7f674b1200f0 "\006\066\257Ig\177"}, {bv_len = 18446744073709551615, bv_val = 0x7f6741e0e0e0 "\027\363\355Jg\177"}, {bv_len = 140081588469112, bv_val = 0x7f6749af2710 "\023\002"}, {
    bv_len = 4294967295, bv_val = 0x100000000 <error: Cannot access memory at address 0x100000000>}, {bv_len = 0, bv_val = 0x7f6700000000 <error: Cannot access memory at address 0x7f6700000000>}, {
    bv_len = 0, bv_val = 0x0}, {bv_len = 0, bv_val = 0x7f6700000000 <error: Cannot access memory at address 0x7f6700000000>}, {bv_len = 140080358359042, bv_val = 0x0}, {bv_len = 0, bv_val = 0x0}, {
    bv_len = 0, bv_val = 0x7f674961804d <___sprintf_chk+125> "H\201\304", <incomplete sequence \330>}, {bv_len = 18446744073709551615, bv_val = 0x2 <error: Cannot access memory at address 0x2>}, {
    bv_len = 9147279613100033, bv_val = 0x0}, {bv_len = 5, bv_val = 0x7f674aedf310 "%s%s=*)"}, {bv_len = 11, bv_val = 0x7f6700000006 <error: Cannot access memory at address 0x7f6700000006>}, {
    bv_len = 140081615467287, bv_val = 0xfefefeff6d766e6d <error: Cannot access memory at address 0xfefefeff6d766e6d>}, {bv_len = 2822930839, bv_val = 0x7f6749af3283 "_setjmp"}, {bv_len = 4294967295, 
    bv_val = 0x7f6741e0e1b0 "\257o\355Jg\177"}, {bv_len = 140081588439328, bv_val = 0x7f674b1294e8 ""}, {bv_len = 140081463616260, 
    bv_val = 0x7f6749685dc0 <_itoa_lower_digits> "0123456789abcdefghijklmnopqrstuvwxyz"}, {bv_len = 18374403902724796013, bv_val = 0x7f674b12a9f0 ""}, {bv_len = 7, bv_val = 0x7f6749af80aa "A\306E\177"}, 
  {bv_len = 206158430248, bv_val = 0x7f6741e0e810 "@!"}, {bv_len = 140081463617360, bv_val = 0x19 <error: Cannot access memory at address 0x19>}, {bv_len = 0, 
    bv_val = 0x7f6749af82c9 <request_init+249> "H\201\304", <incomplete sequence \320>}, {bv_len = 0, bv_val = 0x3000000030 <error: Cannot access memory at address 0x3000000030>}, {
    bv_len = 140081463616128, bv_val = 0x7f6741e0e1a0 "\340\363HKg\177"}, {bv_len = 140081621431264, bv_val = 0x2 <error: Cannot access memory at address 0x2>}, {bv_len = 140081615433647, 
    bv_val = 0x4 <error: Cannot access memory at address 0x4>}, {bv_len = 140081615435682, bv_val = 0x5 <error: Cannot access memory at address 0x5>}, {bv_len = 140081463620960, 
    bv_val = 0x7f674b13f544 <ldap_syslog> ""}, {bv_len = 140081617973920, bv_val = 0x7f674b56a270 "\001"}, {bv_len = 5, 
    bv_val = 0xdd763469be7efe00 <error: Cannot access memory at address 0xdd763469be7efe00>}, {bv_len = 140081096559496, bv_val = 0x0}, {bv_len = 140081621431264, 
    bv_val = 0x19 <error: Cannot access memory at address 0x19>}, {bv_len = 0, bv_val = 0x7f6741e0e680 "\002"}, {bv_len = 0, 
    bv_val = 0x7f6749af5ca9 <hosts_access+105> "\205\300\017\224\300H\203\304\030\017\266\300\303f.\017\037\204"}, {bv_len = 140081622242144, bv_val = 0x7f6741e0e280 "\377\377\377\377unknown"}, {
    bv_len = 0, bv_val = 0x7f6749af73be <hosts_ctl+94> "H\213\264$\210\003"}, {bv_len = 140081463617104, bv_val = 0x7f6700000003 <error: Cannot access memory at address 0x7f6700000003>}, {
    bv_len = 140081615435682, bv_val = 0x7f6700000000 <error: Cannot access memory at address 0x7f6700000000>}, {bv_len = 7956574619765309439, 
    bv_val = 0x6e776f <error: Cannot access memory at address 0x6e776f>}, {bv_len = 140081463616208, bv_val = 0xffff8098be1f1d31 <error: Cannot access memory at address 0xffff8098be1f1d31>}, {
    bv_len = 140081463616207, bv_val = 0x0}, {bv_len = 0, bv_val = 0x96 <error: Cannot access memory at address 0x96>}, {bv_len = 18446603992245935297, 
    bv_val = 0x11 <error: Cannot access memory at address 0x11>}, {bv_len = 18446603992245935281, bv_val = 0x2 <error: Cannot access memory at address 0x2>}, {bv_len = 0, 
    bv_val = 0x30 <error: Cannot access memory at address 0x30>}, {bv_len = 140081463616336, bv_val = 0x7f672c000020 ""}, {bv_len = 1168, bv_val = 0x47b <error: Cannot access memory at address 0x47b>}, {
    bv_len = 140081097623408, bv_val = 0x7f672c1047f0 ""}, {bv_len = 140081097628224, 
    bv_val = 0x7f674958fd56 <_int_malloc+4310> "\205\300D\213\\$0D\213D$D\017\205P\372\377\377H\213L$(H\213CXL\213L$8I\211M\030\351\203\371\377\377H\213ShI\215\004,L9r\030u]I\201\377\377\003"}, {
    bv_len = 124, bv_val = 0x47b <error: Cannot access memory at address 0x47b>}, {bv_len = 4095, bv_val = 0x4b0 <error: Cannot access memory at address 0x4b0>}, {bv_len = 4096, 
    bv_val = 0x107000 <error: Cannot access memory at address 0x107000>}, {bv_len = 140081096556545, bv_val = 0x6 <error: Cannot access memory at address 0x6>}, {bv_len = 18446603992245935121, 
    bv_val = 0x2 <error: Cannot access memory at address 0x2>}, {bv_len = 0, bv_val = 0x7700000030 <error: Cannot access memory at address 0x7700000030>}, {bv_len = 140081463616496, bv_val = 0x0}, {
    bv_len = 140081622262672, bv_val = 0x7f674b55bab0 "\220\243UKg\177"}, {bv_len = 1099528470784, bv_val = 0x1000101000001 <error: Cannot access memory at address 0x1000101000001>}}

Eric Desrochers (slashd) on 2016-06-17

Changed in openldap (Ubuntu Trusty):
assignee:	nobody → Eric Desrochers (slashd)
tags:	added: sts
Changed in openldap (Ubuntu Trusty):
importance:	Undecided → Medium

Eric Desrochers (slashd) on 2016-06-17

Changed in openldap (Ubuntu):
status:	New → Fix Released

Eric Desrochers (slashd) on 2016-06-20

description:	updated
description:	updated

Revision history for this message

Eric Desrochers (slashd) wrote on 2016-06-20:

lp1593378_trusty.debdiff Edit (1.5 KiB, text/plain)

Here's the debdiff for Trusty which is a cherry picked patch from upstream VCS.

Changed in openldap (Ubuntu Trusty):
status:	New → In Progress

Eric Desrochers (slashd) on 2016-06-20

tags:	added: ubuntu-sponsors
tags:	added: patch sts-sponsor sts-sru

Revision history for this message

Eric Desrochers (slashd) wrote on 2016-06-21:

The user that originally reported the issue on Ubuntu package have tested a "Test package".
The "Test package" I have builded can be found here : ppa:slashd/fix1593378.

Users feedback :

"We tested the hotfix and looks like it works, the sldap on the CIC with the fix didn`t crash."

Eric

description:

updated

Revision history for this message

Martin Pitt (pitti) wrote on 2016-06-24: Please test proposed package

Hello Eric, or anyone else affected,

Accepted openldap into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu8.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openldap (Ubuntu Trusty):
status:	In Progress → Fix Committed
tags:	added: verification-needed

Eric Desrochers (slashd) on 2016-06-24

tags:

removed: sts-sponsor

Revision history for this message

Robie Basak (racb) wrote on 2016-06-27:

Unsubscribing ~ubuntu-sponsors as it looks like this has already been uploaded.

Eric Desrochers (slashd) on 2016-06-30

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Eric Desrochers (slashd) wrote on 2016-07-01:

The following has been brought to my attention by a user :

"I got verification from the system test, the fix solves the ldap issue.
Thank you for the fix"

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-07-06:

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu8.3

---------------
openldap (2.4.31-1+nmu2ubuntu8.3) trusty; urgency=medium

  * Fix segfault issue in slap_bv2ad (LP: #1593378)
    - d/p/its-7941-fix-for-repeated-tags.patch: Cherry picked
    patch from upstream VCS.

-- Eric Desrochers <email address hidden> Fri, 24 Jun 2016 11:05:23 +0200

Changed in openldap (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2016-07-06: Update Released

#10

The verification of the Stable Release Update for openldap has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Louis Bouchard (louis) on 2016-11-09

tags:

removed: sts-sru

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

lp1593378_trusty.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuopenldap package

crash in slap_bv2ad using repeated tags

Bug Description

Other bug subscribers

Patches

Remote bug watches

Ubuntu
openldap package