[Bug 1593378] [NEW] crash in slap_bv2ad using repeated tags

Launchpad Bug Tracker 1593378 at bugs.launchpad.net
Mon Jun 20 19:02:32 UTC 2016 

You have been subscribed to a public bug by Eric Desrochers (slashd):

[SRU JUSTIFICATION]

[Impact]

The effect of the bug on users is that the program (slapd) terminated
with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
using multiple language tags.

GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...

(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...

In frame #1 the 'tags' struct is corrupt.

Line #272 checks for duplication and jumps to the done label (line #294)
when a duplicate is found. The code increases 'ntags' without filling in
the tags struct with values. In later iterations this could lead to
copying and using uninitialised memory.

[Test Case]

One way to reproduce the issue :

$ ldapsearch -D
"cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>"
-x -W -b
"dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>"
"cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn
;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de
;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"

Explanation :

Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch

-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.

-x
Use simple authentication instead of SASL.

-W
Prompt  for  simple  authentication.   This  is  used instead of
specifying the password on the command line.

-b searchbase
Use searchbase as the starting point for the search  instead  of the default.

[Regression Potential]

The patch is already in place in Debian & Wily and late Ubuntu release
version.

[Other Info]

Upstream OpenLDAP Bug         :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9

Upstream OpenLDAP Commit      :
af8f1e0 ITS#7941 fix for repeated tags

Upstream OpenLDAP Commit Web  :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0

(The commit has been introduced first in upstream branch :
OPENLDAP_REL_ENG_2_4_40~6)

[Original Description]

Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1  0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2  0x00007f674ae4d235 in get_filter (op=op at entry=0x7f672c000a80, ber=<optimized out>, filt=filt at entry=0x7f672c000af0, text=text at entry=0x7f6741e0f980)
    at ../../../../servers/slapd/filter.c:190
#3  0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4  0x00007f674ae496dc in connection_operation (ctx=ctx at entry=0x7f6741e0fb90, arg_v=arg_v at entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5  0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6  0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7  0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8  0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

** Affects: openldap (Ubuntu)
     Importance: Medium
     Assignee: Eric Desrochers (slashd)
         Status: Fix Released

** Affects: openldap (Ubuntu Trusty)
     Importance: Medium
     Assignee: Eric Desrochers (slashd)
         Status: In Progress


** Tags: patch sts sts-sponsor sts-sru ubuntu-sponsors
-- 
crash in slap_bv2ad using repeated tags
https://bugs.launchpad.net/bugs/1593378
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list