This bug effects directory initializations when the membersize exceeds the default value. For example, a dogtag replica installation with a large CRL entry will fail due to the size exceeding 2097152 bytes.
The only place we tell the Sockbuf layer that we have a max size is here:
{{{ Connection_Table * connection_table_new(int table_size) ... ber_len_t maxbersize = config_get_maxbersize(); }}} this should be moved before the loop - no reason to do this inside the loop {{{ ber_sockbuf_ctrl( ct->c[i].c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &maxbersize ); }}}
Will be tricky to do this dynamically and have it apply to all open connections. Would prefer to do it only for new connections: {{{ handle_new_connection() ... ber_sockbuf_add_io( conn->c_sb, &openldap_sockbuf_io, LBER_SBIOD_LEVEL_PROVIDER, conn ); ... ber_len_t maxbersize = config_get_maxbersize(); ber_sockbuf_ctrl( conn->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &maxbersize ); }}}
Fix description: Based on the proposal made by rmeggins@redhat.com in the ticket #542, this patch sets maxbersize every time before reading the client input from the socket.
If the incoming ber size is larger than maxbersize, access log logs: [..] conn=# op=-1 fd=64 closed error 34 (Numerical result out of range) - B2 And the error log logs: [..] connection - conn=# fd=# Incoming BER Element was too long, max allowable is # bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
git patch file (master) 0001-Ticket-542-Cannot-dynamically-set-nsslapd-maxbersize.patch
Reviewed by Rich (Thank you!!)
Pushed to master: commit cce46be
Pushed to 389-ds-base-1.3.0: commit 5941a5b
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918689
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.0.2
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/542
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.