crash in slap_bv2ad using repeated tags
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Medium
|
Eric Desrochers | ||
Trusty |
Fix Released
|
Medium
|
Eric Desrochers |
Bug Description
[SRU JUSTIFICATION]
[Impact]
The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D "cn=<BINDDN_
Explanation :
Reference:
http://
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release version.
A hotfix has been tested by the user that originally reported the issue.
The hotfix solves the issue.
[Other Info]
Upstream OpenLDAP Bug :
http://
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://
(The commit has been introduced first in upstream branch : OPENLDAP_
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_
210 ../sysdeps/
(gdb) bt
#0 __strncasecmp_
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@
#2 0x00007f674ae4d235 in get_filter (op=op@
at ../../.
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../.
#4 0x00007f674ae496dc in connection_
#5 0x00007f674ae49a40 in connection_
#6 0x00007f674a9a7aba in ?? () from /usr/lib/
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e1
#8 0x00007f674960947d in clone () at ../sysdeps/
Changed in openldap (Ubuntu): | |
importance: | Undecided → Medium |
Changed in openldap (Ubuntu): | |
assignee: | nobody → Eric Desrochers (slashd) |
Changed in openldap (Ubuntu Trusty): | |
assignee: | nobody → Eric Desrochers (slashd) |
tags: | added: sts |
Changed in openldap (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in openldap (Ubuntu): | |
status: | New → Fix Released |
description: | updated |
description: | updated |
tags: | added: ubuntu-sponsors |
tags: | added: patch sts-sponsor sts-sru |
tags: | removed: sts-sponsor |
tags: |
added: verification-done removed: verification-needed |
tags: | removed: sts-sru |
I think this upstream commit could be a possible candidate to fix that issue :
commit 0659ef45d486b5d aaafc020cb67b56 1a8029036d
Author: Howard Chu <email address hidden>
Date: Thu Sep 18 00:33:33 2014 +0100
ITS#7941 fix for repeated tags
Make sure ntags isn't incremented if we're skippnig the tag
diff --git a/servers/ slapd/ad. c b/servers/ slapd/ad. c slapd/ad. c slapd/ad. c
index 78a8b15..246b900 100644
--- a/servers/
+++ b/servers/
@@ -271,6 +271,7 @@ int slap_bv2ad(
+ ntags--;