#47937 Crash in entry_add_present_values_wsi_multi_valued
Closed: wontfix None Opened 6 years ago by mreynolds.

entry_add_present_values_wsi_multi_valued() crashes when "type" is in invalid attribute name: "cn "

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fef867fc700 (LWP 16374)]
0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548
548         a_flags_orig = a->a_flags;


546   int attr_state = entry_attr_find_wsi(e, type, &a);
547 
548   a_flags_orig = a->a_flags;  -->  "a" is NULL and then dereferenced

(gdb) where
#0  0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548
#1  0x00007fefa64a3e7f in entry_add_present_values_wsi (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:446
#2  0x00007fefa64a4da8 in entry_replace_present_values_wsi (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", vals=0x7fef68006010, csn=0x7fef867f75b0, urp=0)
    at ../ds/ldap/servers/slapd/entrywsi.c:912
#3  0x00007fefa64a4f35 in entry_apply_mod_wsi (e=0x7fef68003ac0, mod=0x7fef68005fb0, 
    csn=0x7fef867f75b0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:940
#4  0x00007fefa64a51bd in entry_apply_mods_wsi (e=0x7fef68003ac0, smods=0x7fef867f7630, 
    csn=0x7fef680029c0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:1010
#5  0x00007fef9bfd6ca5 in modify_apply_check_expand (pb=0x7fef867fbb10, 
    operation=0x25c4110, mods=0x7fef68001910, e=0x7fef64002260, ec=0x7fef68003a50, 
    postentry=0x7fef867f7718, ldap_result_code=0x7fef867f76a4, 
    ldap_result_message=0x7fef867f7738)
    at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:276
#6  0x00007fef9bfd7ada in ldbm_back_modify (pb=0x7fef867fbb10)
    at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:654
#7  0x00007fefa64d4717 in op_shared_modify (pb=0x7fef867fbb10, pw_change=0, old_pw=0x0)
    at ../ds/ldap/servers/slapd/modify.c:1081
#8  0x00007fefa64d2d31 in do_modify (pb=0x7fef867fbb10)
    at ../ds/ldap/servers/slapd/modify.c:419
#9  0x0000000000415f1f in connection_dispatch_operation (conn=0x7fefa680d560, 
    op=0x25c4110, pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/connection.c:660
#10 0x0000000000417e87 in connection_threadmain ()
    at ../ds/ldap/servers/slapd/connection.c:2534
#11 0x00007fefa48c2e3b in _pt_root (arg=0x25a97a0)
    at ../../../nspr/pr/src/pthreads/ptthread.c:212
#12 0x00007fefa4262ee5 in start_thread (arg=0x7fef867fc700) at pthread_create.c:309
#13 0x00007fefa3f91b8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

How did the invalid attribute name get in there in the first place?

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Replying to [comment:2 mreynolds]:

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Looks like we should also add schema checking to whatever parses that data.

Replying to [comment:3 rmeggins]:

Replying to [comment:2 mreynolds]:

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Looks like we should also add schema checking to whatever parses that data.

dnaType is in the schema, but it has directory string syntax, so "cn " is valid. We could probably normalize the value using: slapi_attr_syntax_normalize_ext()

Steps to reproduce:

[1] Install DS using "dc=example,dc=com"
[2] Create two "ou" branches, and a entry:

  ou=people,dc=example,dc=com
  ou=ranges,dc=example,dc=com
  cn=entry,ou=people,dc=example,dc=com

[3] Configure the dna plugin

ldapmodify ...

dn: cn=Distributed Numeric Assignment Plugin,cn=plugins
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: dnaPluginConfig
cn: dnaConfig
dnaType: cn
dnaMaxValue: 10000
dnaMagicRegen: 0
dnaFilter: (objectclass=top)
dnaScope: ou=people,dc=example,dc=com
dnaNextValue: 500
dnaSharedCfgDN: ou=ranges,dc=example,dc=com

dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com
changetype: add
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: localhost.localdomain
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 9501

[4] Restart the server

[5] Change dnaType to use a attribute with a trailing space: "cn "

ldapmodify...

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaType
dnaType: cn

[6] Modify the entry in any way, and a crash will occur

ldapmodify

dn: cn=entry,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: new description

Replying to [comment:4 mreynolds]:

Replying to [comment:3 rmeggins]:

Replying to [comment:2 mreynolds]:

Replying to [comment:1 rmeggins]:

How did the invalid attribute name get in there in the first place?

DNA plugin config entry in cn=config: "dnaType: cn "

Looks like we should also add schema checking to whatever parses that data.

dnaType is in the schema, but it has directory string syntax, so "cn " is valid.

No, what I mean is that the values of the attribute dnaType are expected to be a valid attributeTypes. So we should do schema checking on the values.

We could probably normalize the value using: slapi_attr_syntax_normalize_ext()

If we do schema checking on the value, I don't think we have to normalize first.

Steps to reproduce:

[1] Install DS using "dc=example,dc=com"
[2] Create two "ou" branches, and a entry:

  ou=people,dc=example,dc=com
  ou=ranges,dc=example,dc=com
  cn=entry,ou=people,dc=example,dc=com

[3] Configure the dna plugin

ldapmodify ...

dn: cn=Distributed Numeric Assignment Plugin,cn=plugins
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: dnaPluginConfig
cn: dnaConfig
dnaType: cn
dnaMaxValue: 10000
dnaMagicRegen: 0
dnaFilter: (objectclass=top)
dnaScope: ou=people,dc=example,dc=com
dnaNextValue: 500
dnaSharedCfgDN: ou=ranges,dc=example,dc=com

dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com
changetype: add
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: localhost.localdomain
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 9501

[4] Restart the server

[5] Change dnaType to use a attribute with a trailing space: "cn "

ldapmodify...

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaType
dnaType: cn

[6] Modify the entry in any way, and a crash will occur

ldapmodify

dn: cn=entry,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: new description

Bug is present in 1.3.2 and up

Thank you for the version info, Mark!! That's what I was going to check. ;)

git merge ticket47937
Updating 958be12..3cdf0eb
Fast-forward
dirsrvtests/tickets/ticket47937_test.py | 237 ++++++++++++++++++++++++++++++++++++++++++
ldap/servers/plugins/dna/dna.c | 8 ++
ldap/servers/slapd/entrywsi.c | 5 +-
3 files changed, 248 insertions(+), 2 deletions(-)
create mode 100644 dirsrvtests/tickets/ticket47937_test.py

git push origin master
958be12..3cdf0eb master -> master

commit 3cdf0eb
Author: Mark Reynolds mreynolds@redhat.com
Date: Fri Oct 24 14:14:25 2014 -0400

b7b4981..738d985 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 738d985

ce1f451..896424f 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit 896424f

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.2.24

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1268

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

a month ago

Login to comment on this ticket.

Metadata