[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4364) syncrepl consumer logfilter can cause DOS on provider
Full_Name: Francis Swasey
Version: 2.3.18
OS: Red Hat Enterprise Linux v4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (132.198.45.127)
Defining a logfilter which is illegal (such as the following:
logfilter="(&(objectclass=auditWriteObject)(reqResult=0)(reqDN=*,dc=edu))"
) will cause the syncrepl provider using the accesslog overlay to log the
illegal filter and upon the first update the send_ldap_result attempting to send
the information to the consumer will cause a segmentation fault.
Here is an excerpt from the typescript of running slapd -d -1 on the provider to
demonstrate:
conn=1 op=1 SRCH base="cn=accesslog" scope=2 deref=0
filter="(&(objectClass=audi
tWriteObject)(reqResult=0)(?=undefined))"
conn=1 op=1 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN
reqNewSuper
ior entryCSN
slap_global_control: unavailable control: 1.3.6.1.4.1.4203.1.9.1.1
==> limits_get: conn=1 op=1 dn="cn=syncuser,dc=uvm,dc=edu"
<== limits_get: type=DN match=EXACT dn="cn=syncuser,dc=uvm,dc=edu"
=> hdb_search
bdb_dn2entry("cn=accesslog")
base_candidates: base: "cn=accesslog" (0x00000001)
=> test_filter
PRESENT
=> access_allowed: search access to "cn=accesslog" "objectClass" requested
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "cn=accesslog", attr "objectClass" requested
=> acl_mask: to all values by "cn=syncuser,dc=uvm,dc=edu", (=0)
<= check a_dn_pat: cn=replicator,dc=uvm,dc=edu
<= check a_dn_pat: cn=syncuser,dc=uvm,dc=edu
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
<= test_filter 6
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_intermediate: err=0 oid=1.3.6.1.4.1.4203.1.9.1.4 len=48
send_ldap_response: msgid=2 tag=121 err=0
ber_flush: 83 bytes to sd 21
...
conn=1 op=1 INTERM oid=1.3.6.1.4.1.4203.1.9.1.4
str2filter "(&(objectClass=auditWriteObject)(reqResult=0)(?=undefined))"
put_filter: "(&(objectClass=auditWriteObject)(reqResult=0)(?=undefined))"
put_filter: AND
put_filter_list "(objectClass=auditWriteObject)(reqResult=0)(?=undefined)"
put_filter: "(objectClass=auditWriteObject)"
put_filter: simple
put_simple_filter: "objectClass=auditWriteObject"
put_filter: "(reqResult=0)"
put_filter: simple
put_simple_filter: "reqResult=0"
put_filter: "(?=undefined)"
put_filter: simple
put_simple_filter: "?=undefined"
...
conn=2 op=1 MOD dn="uid=fcswasey,ou=People,dc=uvm,dc=edu"
conn=2 op=1 MOD attr=initials
...
==> hdb_add: reqStart=20060123154448.000001Z,cn=accesslog
...
hdb_add: added id=0000392d dn="reqStart=20060123154448.000001Z,cn=accesslog"
send_ldap_result: conn=2 op=1 p=3
send_ldap_result: err=0 matched="" text=""
=> test_filter
Segmentation fault