entry_add_present_values_wsi_multi_valued() crashes when "type" is in invalid attribute name: "cn "
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fef867fc700 (LWP 16374)] 0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548 548 a_flags_orig = a->a_flags; 546 int attr_state = entry_attr_find_wsi(e, type, &a); 547 548 a_flags_orig = a->a_flags; --> "a" is NULL and then dereferenced (gdb) where #0 0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548 #1 0x00007fefa64a3e7f in entry_add_present_values_wsi (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:446 #2 0x00007fefa64a4da8 in entry_replace_present_values_wsi (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", vals=0x7fef68006010, csn=0x7fef867f75b0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:912 #3 0x00007fefa64a4f35 in entry_apply_mod_wsi (e=0x7fef68003ac0, mod=0x7fef68005fb0, csn=0x7fef867f75b0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:940 #4 0x00007fefa64a51bd in entry_apply_mods_wsi (e=0x7fef68003ac0, smods=0x7fef867f7630, csn=0x7fef680029c0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:1010 #5 0x00007fef9bfd6ca5 in modify_apply_check_expand (pb=0x7fef867fbb10, operation=0x25c4110, mods=0x7fef68001910, e=0x7fef64002260, ec=0x7fef68003a50, postentry=0x7fef867f7718, ldap_result_code=0x7fef867f76a4, ldap_result_message=0x7fef867f7738) at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:276 #6 0x00007fef9bfd7ada in ldbm_back_modify (pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:654 #7 0x00007fefa64d4717 in op_shared_modify (pb=0x7fef867fbb10, pw_change=0, old_pw=0x0) at ../ds/ldap/servers/slapd/modify.c:1081 #8 0x00007fefa64d2d31 in do_modify (pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/modify.c:419 #9 0x0000000000415f1f in connection_dispatch_operation (conn=0x7fefa680d560, op=0x25c4110, pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/connection.c:660 #10 0x0000000000417e87 in connection_threadmain () at ../ds/ldap/servers/slapd/connection.c:2534 #11 0x00007fefa48c2e3b in _pt_root (arg=0x25a97a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 #12 0x00007fefa4262ee5 in start_thread (arg=0x7fef867fc700) at pthread_create.c:309 #13 0x00007fefa3f91b8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
How did the invalid attribute name get in there in the first place?
Replying to [comment:1 rmeggins]:
DNA plugin config entry in cn=config: "dnaType: cn "
Replying to [comment:2 mreynolds]:
Replying to [comment:1 rmeggins]: How did the invalid attribute name get in there in the first place? DNA plugin config entry in cn=config: "dnaType: cn "
Looks like we should also add schema checking to whatever parses that data.
Replying to [comment:3 rmeggins]:
Replying to [comment:2 mreynolds]: Replying to [comment:1 rmeggins]: How did the invalid attribute name get in there in the first place? DNA plugin config entry in cn=config: "dnaType: cn " Looks like we should also add schema checking to whatever parses that data.
dnaType is in the schema, but it has directory string syntax, so "cn " is valid. We could probably normalize the value using: slapi_attr_syntax_normalize_ext()
Steps to reproduce:
[1] Install DS using "dc=example,dc=com" [2] Create two "ou" branches, and a entry:
ou=people,dc=example,dc=com ou=ranges,dc=example,dc=com cn=entry,ou=people,dc=example,dc=com
[3] Configure the dna plugin
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: add objectClass: top objectClass: dnaPluginConfig cn: dnaConfig dnaType: cn dnaMaxValue: 10000 dnaMagicRegen: 0 dnaFilter: (objectclass=top) dnaScope: ou=people,dc=example,dc=com dnaNextValue: 500 dnaSharedCfgDN: ou=ranges,dc=example,dc=com
dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com changetype: add objectClass: dnaSharedConfig objectClass: top dnaHostname: localhost.localdomain dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 9501
[4] Restart the server
[5] Change dnaType to use a attribute with a trailing space: "cn "
dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaType dnaType: cn
[6] Modify the entry in any way, and a crash will occur
dn: cn=entry,ou=people,dc=example,dc=com changetype: modify replace: description description: new description
Replying to [comment:4 mreynolds]:
Replying to [comment:3 rmeggins]: Replying to [comment:2 mreynolds]: Replying to [comment:1 rmeggins]: How did the invalid attribute name get in there in the first place? DNA plugin config entry in cn=config: "dnaType: cn " Looks like we should also add schema checking to whatever parses that data. dnaType is in the schema, but it has directory string syntax, so "cn " is valid.
dnaType is in the schema, but it has directory string syntax, so "cn " is valid.
No, what I mean is that the values of the attribute dnaType are expected to be a valid attributeTypes. So we should do schema checking on the values.
We could probably normalize the value using: slapi_attr_syntax_normalize_ext()
If we do schema checking on the value, I don't think we have to normalize first.
Steps to reproduce: [1] Install DS using "dc=example,dc=com" [2] Create two "ou" branches, and a entry: ou=people,dc=example,dc=com ou=ranges,dc=example,dc=com cn=entry,ou=people,dc=example,dc=com [3] Configure the dna plugin ldapmodify ... dn: cn=Distributed Numeric Assignment Plugin,cn=plugins changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: add objectClass: top objectClass: dnaPluginConfig cn: dnaConfig dnaType: cn dnaMaxValue: 10000 dnaMagicRegen: 0 dnaFilter: (objectclass=top) dnaScope: ou=people,dc=example,dc=com dnaNextValue: 500 dnaSharedCfgDN: ou=ranges,dc=example,dc=com dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com changetype: add objectClass: dnaSharedConfig objectClass: top dnaHostname: localhost.localdomain dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 9501 [4] Restart the server [5] Change dnaType to use a attribute with a trailing space: "cn " ldapmodify... dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaType dnaType: cn [6] Modify the entry in any way, and a crash will occur ldapmodify dn: cn=entry,ou=people,dc=example,dc=com changetype: modify replace: description description: new description
attachment 0001-Ticket-47937-Crash-in-entry_add_present_values_wsi_m.patch
lib389 test 0002-lib389-testcase-for-ticket-47937.patch
Bug is present in 1.3.2 and up
Thank you for the version info, Mark!! That's what I was going to check. ;)
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1156607
git merge ticket47937 Updating 958be12..3cdf0eb Fast-forward dirsrvtests/tickets/ticket47937_test.py | 237 ++++++++++++++++++++++++++++++++++++++++++ ldap/servers/plugins/dna/dna.c | 8 ++ ldap/servers/slapd/entrywsi.c | 5 +- 3 files changed, 248 insertions(+), 2 deletions(-) create mode 100644 dirsrvtests/tickets/ticket47937_test.py
git push origin master 958be12..3cdf0eb master -> master
commit 3cdf0eb Author: Mark Reynolds mreynolds@redhat.com Date: Fri Oct 24 14:14:25 2014 -0400
b7b4981..738d985 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 738d985
ce1f451..896424f 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit 896424f
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.2.24
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1268
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.