[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4180) slapd (back-sql) hangs/segfaults on SASL bind



On Tue, 2005-11-22 at 11:07 -0700, Nels Lindquist wrote:
> Okay, I've got a non-optimized build:
> 
> 545             struct propval auxvals[3] = { 0 };
> (gdb) p auxvals
> $9 = {{name = 0x9f84de8 "�Jø\t", values = 0x9f84de8, nvalues = 0, 
>     valsize = 167046113}, {name = 0x4 <Address 0x4 out of bounds>, 
>     values = 0x8163cf0, nvalues = 1929434472, valsize = 135257559}, {
>     name = 0x9f84deb "\t", values = 0x9f84de8, nvalues = 1, 
>     valsize = 167267816}}
> 551             *out_len = 0;
> (gdb) p auxvals
> $10 = {{name = 0x0, values = 0x0, nvalues = 0, valsize = 0}, {name = 0x0, 
>     values = 0x0, nvalues = 0, valsize = 0}, {name = 0x0, values = 0x0, 
>     nvalues = 0, valsize = 0}}
> 
> [....]
> 
> 573             prop_getnames( props, slap_propnames, auxvals );
> (gdb) p auxvals
> $11 = {{name = 0x0, values = 0x0, nvalues = 0, valsize = 0}, {name = 
> 0x0, values = 0x0, nvalues = 0, valsize = 0}, {name = 0x0, values = 
> 0x0, nvalues = 0, valsize = 0}}
> 574             if ( !auxvals[0].name )
> (gdb) p auxvals[which].values
> $13 = (const char **) 0x9f621b4
> (gdb) p auxvals
> $14 = {{name = 0x811f224 "*slapConn", values = 0x9f621b4, nvalues = 
> 1, 
>     valsize = 4}, {name = 0x811f22e "*slapAuthcDN", values = 
> 0x9f621bc, 
>     nvalues = 1, valsize = 8}, {name = 0x811f23b "*slapAuthzDN", 
>     values = 0x9f621d4, nvalues = 1, valsize = 6}}
> (gdb) p *((struct berval *)0x9f621bc)
> $15 = {bv_len = 167126546, bv_val = 0x0}
> (gdb) p *((struct berval *)0x9f621d4)
> $16 = {bv_len = 167126525, bv_val = 0x0}

OK, something is definitely going on across the two calls to
slap_sasl_canonicalize() that fills that field, but I have no clue.  At
this point, I'd suspect libsasl2 itself, because I don't see any strange
behavior in slapd, either with gdb or with memory check tools.
Something is polluting that "*slapAuthzDN" with apparently spurious
values.  Just out of curiosity, can you print those values with their
real type, i.e.

(gdb) p auxvals[1].values[0]

which in libsasl2's intentions should be a string (while slapd forces it
to be a pointer to a buffer that contains a struct berval)?

The next step, assuming there's some buffer overflow somewhere, would be
to run slapd under valgrind or some other memory checker tool.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------