#47937 Crash in entry_add_present_values_wsi_multi_valued
Closed: Fixed None Opened 4 years ago by mreynolds.

entry_add_present_values_wsi_multi_valued() crashes when "type" is in invalid attribute name: "cn "

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fef867fc700 (LWP 16374)]
0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548
548         a_flags_orig = a->a_flags;


546   int attr_state = entry_attr_find_wsi(e, type, &a);
547 
548   a_flags_orig = a->a_flags;  -->  "a" is NULL and then dereferenced

(gdb) where
#0  0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548
#1  0x00007fefa64a3e7f in entry_add_present_values_wsi (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:446
#2  0x00007fefa64a4da8 in entry_replace_present_values_wsi (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", vals=0x7fef68006010, csn=0x7fef867f75b0, urp=0)
    at ../ds/ldap/servers/slapd/entrywsi.c:912
#3  0x00007fefa64a4f35 in entry_apply_mod_wsi (e=0x7fef68003ac0, mod=0x7fef68005fb0, 
    csn=0x7fef867f75b0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:940
#4  0x00007fefa64a51bd in entry_apply_mods_wsi (e=0x7fef68003ac0, smods=0x7fef867f7630, 
    csn=0x7fef680029c0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:1010
#5  0x00007fef9bfd6ca5 in modify_apply_check_expand (pb=0x7fef867fbb10, 
    operation=0x25c4110, mods=0x7fef68001910, e=0x7fef64002260, ec=0x7fef68003a50, 
    postentry=0x7fef867f7718, ldap_result_code=0x7fef867f76a4, 
    ldap_result_message=0x7fef867f7738)
    at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:276
#6  0x00007fef9bfd7ada in ldbm_back_modify (pb=0x7fef867fbb10)
    at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:654
#7  0x00007fefa64d4717 in op_shared_modify (pb=0x7fef867fbb10, pw_change=0, old_pw=0x0)
    at ../ds/ldap/servers/slapd/modify.c:1081
#8  0x00007fefa64d2d31 in do_modify (pb=0x7fef867fbb10)
    at ../ds/ldap/servers/slapd/modify.c:419
#9  0x0000000000415f1f in connection_dispatch_operation (conn=0x7fefa680d560, 
    op=0x25c4110, pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/connection.c:660
#10 0x0000000000417e87 in connection_threadmain ()
    at ../ds/ldap/servers/slapd/connection.c:2534
#11 0x00007fefa48c2e3b in _pt_root (arg=0x25a97a0)
    at ../../../nspr/pr/src/pthreads/ptthread.c:212
#12 0x00007fefa4262ee5 in start_thread (arg=0x7fef867fc700) at pthread_create.c:309
#13 0x00007fefa3f91b8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

How did the invalid attribute name get in there in the first place?

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Replying to [comment:2 mreynolds]:

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Looks like we should also add schema checking to whatever parses that data.

Replying to [comment:3 rmeggins]:

Replying to [comment:2 mreynolds]:

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Looks like we should also add schema checking to whatever parses that data.

dnaType is in the schema, but it has directory string syntax, so "cn " is valid. We could probably normalize the value using: slapi_attr_syntax_normalize_ext()

Steps to reproduce:

[1] Install DS using "dc=example,dc=com"
[2] Create two "ou" branches, and a entry:

  ou=people,dc=example,dc=com
  ou=ranges,dc=example,dc=com
  cn=entry,ou=people,dc=example,dc=com

[3] Configure the dna plugin

ldapmodify ...

dn: cn=Distributed Numeric Assignment Plugin,cn=plugins
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: dnaPluginConfig
cn: dnaConfig
dnaType: cn
dnaMaxValue: 10000
dnaMagicRegen: 0
dnaFilter: (objectclass=top)
dnaScope: ou=people,dc=example,dc=com
dnaNextValue: 500
dnaSharedCfgDN: ou=ranges,dc=example,dc=com

dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com
changetype: add
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: localhost.localdomain
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 9501

[4] Restart the server

[5] Change dnaType to use a attribute with a trailing space: "cn "

ldapmodify...

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaType
dnaType: cn

[6] Modify the entry in any way, and a crash will occur

ldapmodify

dn: cn=entry,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: new description

Replying to [comment:4 mreynolds]:

Replying to [comment:3 rmeggins]:

Replying to [comment:2 mreynolds]:

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Looks like we should also add schema checking to whatever parses that data.

dnaType is in the schema, but it has directory string syntax, so "cn " is valid.

No, what I mean is that the values of the attribute dnaType are expected to be a valid attributeTypes. So we should do schema checking on the values.

We could probably normalize the value using: slapi_attr_syntax_normalize_ext()

If we do schema checking on the value, I don't think we have to normalize first.

Steps to reproduce:

[1] Install DS using "dc=example,dc=com"
[2] Create two "ou" branches, and a entry:

  ou=people,dc=example,dc=com
  ou=ranges,dc=example,dc=com
  cn=entry,ou=people,dc=example,dc=com

[3] Configure the dna plugin

ldapmodify ...

dn: cn=Distributed Numeric Assignment Plugin,cn=plugins
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: dnaPluginConfig
cn: dnaConfig
dnaType: cn
dnaMaxValue: 10000
dnaMagicRegen: 0
dnaFilter: (objectclass=top)
dnaScope: ou=people,dc=example,dc=com
dnaNextValue: 500
dnaSharedCfgDN: ou=ranges,dc=example,dc=com

dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com
changetype: add
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: localhost.localdomain
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 9501

[4] Restart the server

[5] Change dnaType to use a attribute with a trailing space: "cn "

ldapmodify...

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaType
dnaType: cn

[6] Modify the entry in any way, and a crash will occur

ldapmodify

dn: cn=entry,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: new description

Bug is present in 1.3.2 and up

Thank you for the version info, Mark!! That's what I was going to check. ;)

git merge ticket47937
Updating 958be12..3cdf0eb
Fast-forward
dirsrvtests/tickets/ticket47937_test.py | 237 ++++++++++++++++++++++++++++++++++++++++++
ldap/servers/plugins/dna/dna.c | 8 ++
ldap/servers/slapd/entrywsi.c | 5 +-
3 files changed, 248 insertions(+), 2 deletions(-)
create mode 100644 dirsrvtests/tickets/ticket47937_test.py

git push origin master
958be12..3cdf0eb master -> master

commit 3cdf0eb
Author: Mark Reynolds mreynolds@redhat.com
Date: Fri Oct 24 14:14:25 2014 -0400

b7b4981..738d985 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 738d985

ce1f451..896424f 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit 896424f

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.2.24

2 years ago

Login to comment on this ticket.

Metadata