#16 slapi-nis issue internal searches on NULL base
Opened 4 years ago by tbordaz. Modified 4 years ago

ipa-server-4.4.0-14.el7_3.7.x86_64
slapi-nis-0.56.0-4.el7.x86_64

During installation of a freeipa replica, while adding an LDAP entry, slapi-nis does internal searches on sub-trees (users, groups) to update references of already mapped entries. In addition to those correct sub-trees, slapi-nis may issue an additional internal search on a NULL base.

Because of bug https://pagure.io/389-ds-base/issue/49291, it triggers that DS crash. (see backstack below)

The bug is that slapi-nis should detect invalid base before calling slapi_search_internal_set_pb (that does not return error on incomplete pblock setting).

(gdb) where
#0  0x00007fa579a22711 in send_ldap_result_ext (pb=pb@entry=0x7fa528007550, err=err@entry=53, matched=matched@entry=0x0, 
    text=text@entry=0x7fa579a4c708 "This plugin is not configured to access operation target data", nentries=nentries@entry=0, 
    urls=urls@entry=0x0, ber=ber@entry=0x0) at ldap/servers/slapd/result.c:353
#1  0x00007fa579a22fd1 in send_ldap_result (pb=pb@entry=0x7fa528007550, err=err@entry=53, matched=matched@entry=0x0, 
    text=text@entry=0x7fa579a4c708 "This plugin is not configured to access operation target data", nentries=nentries@entry=0, 
    urls=urls@entry=0x0) at ldap/servers/slapd/result.c:194
#2  0x00007fa579a13260 in slapi_search_internal_callback_pb (pb=pb@entry=0x7fa528007550, 
    callback_data=callback_data@entry=0x7fa53bfe5ea0, prc=prc@entry=0x0, 
    psec=psec@entry=0x7fa56a802df0 <backend_shr_note_entry_sdn_cb>, prec=prec@entry=0x0)
    at ldap/servers/slapd/plugin_internal_op.c:559
#3  0x00007fa56a804a61 in backend_shr_update_references_cb (group=0x7fa520007d50 "cn=compat,<suffix>", 
    set=0x7fa52000aa50 "cn=groups", flag=<optimized out>, backend_data=0x7fa52392daa0, cbdata_ptr=<optimized out>)
    at back-shr.c:1539
#4  0x00007fa56a81203f in map_data_foreach_map (state=state@entry=0x7fa57b585a30, domain_name=domain_name@entry=0x0, 
    fn=fn@entry=0x7fa56a803fd0 <backend_shr_update_references_cb>, cbdata=cbdata@entry=0x7fa53bfe5f50) at map.c:347
#5  0x00007fa56a80279b in backend_shr_update_references (state=0x7fa57b585a30, pb=pb@entry=0x7fa53bfe6a90, e=<optimized out>, 
    mods=mods@entry=0x0, modlist=modlist@entry=0x0) at back-shr.c:1825
#6  0x00007fa56a803a17 in backend_shr_add_cb (pb=pb@entry=0x7fa53bfe6a90) at back-shr.c:1953
#7  0x00007fa56a803b41 in backend_shr_add_cb (pb=0x7fa53bfe6a90) at back-shr.c:1883
#8  backend_shr_betxn_post_add_cb (pb=0x7fa53bfe6a90) at back-shr.c:1965
#9  0x00007fa579a0db18 in plugin_call_func (list=0x7fa57b58e910, operation=operation@entry=560, pb=pb@entry=0x7fa53bfe6a90, 
call_one=call_one@entry=0) at ldap/servers/slapd/plugin.c:2049
#10 0x00007fa579a0dda3 in plugin_call_list (pb=0x7fa53bfe6a90, operation=560, list=<optimized out>)
    at ldap/servers/slapd/plugin.c:1993
#11 plugin_call_plugins (pb=pb@entry=0x7fa53bfe6a90, whichfunction=whichfunction@entry=560) at ldap/servers/slapd/plugin.c:445
#12 0x00007fa56c7b9b94 in ldbm_back_add (pb=0x7fa53bfe6a90) at ldap/servers/slapd/back-ldbm/ldbm_add.c:1150
#13 0x00007fa5799b1ed8 in op_shared_add (pb=pb@entry=0x7fa53bfe6a90) at ldap/servers/slapd/add.c:699
#14 0x00007fa5799b31a0 in do_add (pb=pb@entry=0x7fa53bfe6a90) at ldap/servers/slapd/add.c:226
#15 0x00007fa579ee59c3 in connection_dispatch_operation (pb=0x7fa53bfe6a90, op=0x7fa57b7521b0, conn=0x7fa57bc05118)
    at ldap/servers/slapd/connection.c:612
#16 connection_threadmain () at ldap/servers/slapd/connection.c:1759
#17 0x00007fa577bdb9bb in _pt_root (arg=0x7fa57bbcf3d0) at ../../../nspr/pr/src/pthreads/ptthread.c:216
#18 0x00007fa57757bdc5 in start_thread (arg=0x7fa53bfe7700) at pthread_create.c:308
#19 0x00007fa5772aa76d in __lseek_nocancel () at ../sysdeps/unix/syscall-template.S:81
#20 0x0000000000000000 in ?? ()

The RC is that the backend data contains an invalid backend_sdn list that is not NULL terminated.

During that ADD, schema-compat updates its mapped entries that can get values from the added entry.
It intend to do an internal searches like
"(member=cn=KEYS,cn=lipa02.c01.aaa.gen.adm2.util.mlbam.net,cn=masters,cn=ipa,cn=etc,<suffix>)"
on some subtrees, in particular
- "cn=groups,cn=accounts,<suffix>"
- "cn=users,cn=accounts,<suffix>"

    (gdb) print *((struct backend_shr_set_data *) backend_data)->ref_attr_list[0].links.base_sdn_list[0]
    $70 = {flag = 15 '\017', udn = 0x7fa510f8b210 "cn=groups,cn=accounts,<suffix>", 
      dn = 0x7fa523e64b60 "cn=groups,cn=accounts,<suffix>", 
      ndn = 0x7fa523e64a20 "cn=groups,cn=accounts,<suffix>", 
      ndn_len = 37}
    (gdb) print *((struct backend_shr_set_data *) backend_data)->ref_attr_list[0].links.base_sdn_list[1]
    $71 = {flag = 15 '\017', udn = 0x7fa523e64b30 "cn=users,cn=accounts,<suffix>", 
      dn = 0x7fa5102f3200 "cn=users,cn=accounts,<suffix>", 
      ndn = 0x7fa5102f30e0 "cn=users,cn=accounts,<suffix>", 
      ndn_len = 36}

A problem is that the set of search bases contains an invalid base

    (gdb) print *((struct backend_shr_set_data *) backend_data)->ref_attr_list[0].links.base_sdn_list[2]
    $72 = {flag = 9 '\t', udn = 0x0, dn = 0x0, ndn = 0x0, ndn_len = 0}

This ticket is specifically to improve slapi-nis robustness in order to check backend sdn before calling slapi_search_internal_set_pb

A separated ticket should be opened to fix the problem of incorrectly NULL terminated list of backends.

Looks OK except

143 +ยป       slapi_search_internal_set_pb(pb, , LDAP_SCOPE_BASE,

you have an excessive comma there.

Login to comment on this ticket.

Metadata