OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Development/4289
Full headers

From: vadim.tarassov@swissonline.ch
Subject: probably component matching filter issue
 Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification: 


Date: Wed, 28 Dec 2005 23:36:12 GMT
From: vadim.tarassov@swissonline.ch
To: openldap-its@OpenLDAP.org
Subject: probably component matching filter issue

Full_Name: vadim tarassov
Version: 2.3.14
OS: solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.74.60.254)


Hallo everybody,

as I am not familiar with openldap code and can not yet identify source of the
problem, I decided to submit this issue. When using search filter:

"(userCertificate:componentFilterMatch:=item:{ component  
\"toBeSigned.serialNumber\", rule integerMatch, value 1768 })"

slapd performes the search operation and quits with return code 1.

Here is debug output of slapd:

Dec 28 23:58:04 c003998 slapd[8210]: [ID 601841 local4.debug] daemon: activity
on 1 descriptor
Dec 28 23:58:04 c003998 slapd[8210]: [ID 300852 local4.debug] daemon: listen=7,
new connection on 11
Dec 28 23:58:04 c003998 slapd[8210]: [ID 624067 local4.debug] daemon: added 11r
Dec 28 23:58:04 c003998 slapd[8210]: [ID 848112 local4.debug] conn=0 fd=11
ACCEPT from IP=166.9.94.147:60408 (IP=0.0.0.0:10389)
Dec 28 23:58:04 c003998 slapd[8210]: [ID 538834 local4.debug] daemon: select:
listen=7 active_threads=0 tvp=zero
Dec 28 23:58:04 c003998 slapd[8210]: [ID 601841 local4.debug] daemon: activity
on 1 descriptor
Dec 28 23:58:04 c003998 slapd[8210]: [ID 802679 local4.debug] daemon: activity
on:
Dec 28 23:58:04 c003998 slapd[8210]: [ID 522297 local4.debug]  11r
Dec 28 23:58:04 c003998 slapd[8210]: [ID 100000 local4.debug]
Dec 28 23:58:04 c003998 slapd[8210]: [ID 694296 local4.debug] daemon: read
activity on 11
Dec 28 23:58:04 c003998 slapd[8210]: [ID 525477 local4.debug]
connection_get(11)
Dec 28 23:58:04 c003998 slapd[8210]: [ID 611214 local4.debug]
connection_get(11): got connid=0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 138202 local4.debug]
connection_read(11): checking for input on id=0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 812316 local4.debug] ber_get_next on fd
11 failed errno=11 (Resource temporarily unavailable)
Dec 28 23:58:04 c003998 slapd[8210]: [ID 538834 local4.debug] daemon: select:
listen=7 active_threads=0 tvp=zero
Dec 28 23:58:04 c003998 slapd[8210]: [ID 948228 local4.debug] do_bind
Dec 28 23:58:04 c003998 slapd[8210]: [ID 198467 local4.debug] >>>
dnPrettyNormal: <cn=manager,ou=alcatraz,o=winterthur,c=ch>
Dec 28 23:58:04 c003998 slapd[8210]: [ID 147344 local4.debug] <<<
dnPrettyNormal: <cn=manager,ou=alcatraz,o=winterthur,c=ch>,
<cn=manager,ou=alcatraz,o=winterthur,c=ch>
Dec 28 23:58:04 c003998 slapd[8210]: [ID 286280 local4.debug] do_bind: version=3
dn="cn=manager,ou=alcatraz,o=winterthur,c=ch" method=128
Dec 28 23:58:04 c003998 slapd[8210]: [ID 215403 local4.debug] conn=0 op=0 BIND
dn="cn=manager,ou=alcatraz,o=winterthur,c=ch" method=128
Dec 28 23:58:04 c003998 slapd[8210]: [ID 121414 local4.debug] ==> bdb_bind:
dn:
cn=manager,ou=alcatraz,o=winterthur,c=ch
Dec 28 23:58:04 c003998 slapd[8210]: [ID 600343 local4.debug] conn=0 op=0 BIND
dn="cn=Manager,ou=Alcatraz,o=winterthur,c=ch" mech=SIMPLE ssf=0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 469106 local4.debug] do_bind: v3 bind:
"cn=manager,ou=alcatraz,o=winterthur,c=ch" to
"cn=Manager,ou=Alcatraz,o=winterthur,c=ch"
Dec 28 23:58:04 c003998 slapd[8210]: [ID 131099 local4.debug] send_ldap_result:
conn=0 op=0 p=3
Dec 28 23:58:04 c003998 slapd[8210]: [ID 291653 local4.debug] send_ldap_result:
err=0 matched="" text=""
Dec 28 23:58:04 c003998 slapd[8210]: [ID 324658 local4.debug]
send_ldap_response: msgid=1 tag=97 err=0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 601841 local4.debug] daemon: activity
on 1 descriptor
Dec 28 23:58:04 c003998 slapd[8210]: [ID 802679 local4.debug] daemon: activity
on:
Dec 28 23:58:04 c003998 slapd[8210]: [ID 522297 local4.debug]  11r
Dec 28 23:58:04 c003998 slapd[8210]: [ID 100000 local4.debug]
Dec 28 23:58:04 c003998 slapd[8210]: [ID 694296 local4.debug] daemon: read
activity on 11
Dec 28 23:58:04 c003998 slapd[8210]: [ID 525477 local4.debug]
connection_get(11)
Dec 28 23:58:04 c003998 slapd[8210]: [ID 611214 local4.debug]
connection_get(11): got connid=0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 138202 local4.debug]
connection_read(11): checking for input on id=0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 812316 local4.debug] ber_get_next on fd
11 failed errno=11 (Resource temporarily unavailable)
Dec 28 23:58:04 c003998 slapd[8210]: [ID 538834 local4.debug] daemon: select:
listen=7 active_threads=0 tvp=zero
Dec 28 23:58:04 c003998 slapd[8210]: [ID 940369 local4.debug] do_search
Dec 28 23:58:04 c003998 slapd[8210]: [ID 198467 local4.debug] >>>
dnPrettyNormal: <roId=1000090,ou=alcatraz,o=winterthur,c=ch>
Dec 28 23:58:04 c003998 slapd[8210]: [ID 147344 local4.debug] <<<
dnPrettyNormal: <roId=1000090,ou=alcatraz,o=winterthur,c=ch>,
<roId=1000090,ou=alcatraz,o=winterthur,c=ch>
Dec 28 23:58:04 c003998 slapd[8210]: [ID 829381 local4.debug] SRCH
"roId=1000090,ou=alcatraz,o=winterthur,c=ch" 0 0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 998714 local4.debug]     0 0 0
Dec 28 23:58:04 c003998 slapd[8210]: [ID 119476 local4.debug] begin get_filter
Dec 28 23

Message of length 11727 truncated

Followup 1

Download message
Subject: Re: (ITS#4289) probably component matching filter issue
From: vadim <vadim.tarassov@swissonline.ch>
To: openldap-its@OpenLDAP.org
Cc: vadim.tarassov@swissonline.ch
Date: Mon, 02 Jan 2006 18:49:36 +0100

Hallo everybody,

sorry, I have discovered that slapd is actually producing core file like
this (due to signal 10):

(gdb) backtrace
#0  0x00086770 in slap_sl_free (ptr=0x4a0e4f, ctx=0x33e678) at
sl_malloc.c:427
#1  0x00084a34 in mra_free (op=0x342578, mra=0x4a0eec, freeit=1) at
mra.c:43
#2  0x00044e1c in filter_free_x (op=0x342578, f=0x4a0eec) at
filter.c:515

(gdb) print (char*)ptr+p[-1]
$12 = 0x7370cb <Address 0x7370cb out of bounds>

best regards, vadim tarassov

-- 
vadim <vadim.tarassov@swissonline.ch>

Followup 2

Download message
Subject: Re: (ITS#4289) probably component matching filter issue
From: vadim <vadim.tarassov@swissonline.ch>
To: openldap-its@OpenLDAP.org
Cc: vadim.tarassov@swissonline.ch
Date: Mon, 02 Jan 2006 20:30:31 +0100

I would like to add that openldap-2.3.14 with that filter always crashes
on solaris 8 and does not crash on linux (debian testing). 
-- 
vadim <vadim.tarassov@swissonline.ch>
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org