Viewing Historical/5218
Full headers

Major security issue: yes  no

Notes:
2.2
Notification:

Date: Tue, 6 Nov 2007 22:21:44 GMT
From: dappleby@deakin.edu.au
To: openldap-its@OpenLDAP.org
Subject: ber_get_next at /liblber/io.c:710

Full_Name: Daniel Appleby
Version: 3
OS: RHEL4 Update 5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (128.184.138.7)


Hi,

I am getting a signal 6 (abort) in the samba logs which reports:

[2007/11/06 19:01:06, 0, effective(0, 0), real(0, 0)]
lib/smbldap.c:smbldap_search_suffix(1155)
  smbldap_search_suffix: Problem during the LDAP search:  (Local error)
smbd: ../../../libraries/liblber/io.c:516: ber_get_next: Assertion
`ber->ber_buf
== ((void *)0)' failed. 


It dropped a core and here is the full backtrace:

#0  0x003db7a2 in ?? ()
#1  0x0025f7a5 in raise () from /lib/tls/libc.so.6
#2  0x00261209 in abort () from /lib/tls/libc.so.6
#3  0x007f06f4 in smb_panic2 (why=0x0, decrement_pid_count=1) at
lib/util.c:1565
#4  0x007f086c in smb_panic (why=0x0) at lib/util.c:1454
#5  0x007dcd8f in sig_fault (sig=0) at lib/fault.c:41
#6  <signal handler called>
#7  0x003db7a2 in ?? ()
#8  0x0025f7a5 in raise () from /lib/tls/libc.so.6
#9  0x00261209 in abort () from /lib/tls/libc.so.6
#10 0x00258d91 in __assert_fail () from /lib/tls/libc.so.6
#11 0x0094c1f5 in ber_get_next (sb=0x99231b0, len=0xbfe4072c, ber=0x992d880) at
../../../libraries/liblber/io.c:710
#12 0x0011a6a2 in try_read1msg (ld=0x9923100, msgid=10, all=1, sb=0x99231b0,
lcp=0xbfe407dc, result=0xbfe40d34) at ../../../libraries/libldap/result.c:473
#13 0x0011bb6f in ldap_result (ld=0x9923100, msgid=10, all=1, timeout=0x0,
result=0xbfe40d34) at ../../../libraries/libldap/result.c:378
#14 0x0011d28b in ldap_search_s (ld=0x9923100, base=0x992a618
"dc=deakin,dc=edu,dc=au", scope=2,
    filter=0x992da08 "(&(uid=pfield)(objectclass=sambaSamAccount))",
attrs=0x992c580, attrsonly=0, res=0xbfe40d34)
    at ../../../libraries/libldap/search.c:364
#15 0x0086a9ff in smbldap_search (ldap_state=0x9922e70, base=0x992a618
"dc=deakin,dc=edu,dc=au", scope=2,
    filter=0xbfe408f0 "(&(uid=pfield)(objectclass=sambaSamAccount))",
attrs=0x992c580, attrsonly=0, res=0xbfe40d34) at lib/smbldap.c:1047
#16 0x0086b116 in smbldap_search_suffix (ldap_state=0x9922e70, filter=0xbfe408f0
"(&(uid=pfield)(objectclass=sambaSamAccount))", search_attr=0x992c580,
    result=0xbfe40d34) at lib/smbldap.c:1148
#17 0x007c1cda in ldapsam_search_suffix_by_name (ldap_state=0x9922e00,
user=Variable "user" is not available.
) at passdb/pdb_ldap.c:227
#18 0x007c524d in ldapsam_getsampwnam (my_methods=0x9922d70, user=0x992c410,
sname=0x992d928 "pfield") at passdb/pdb_ldap.c:1291
#19 0x007bbaea in context_getsampwnam (context=0x9922c20, sam_acct=0x992c410,
username=0x992d928 "pfield") at passdb/pdb_interface.c:197
#20 0x007bdbcf in pdb_getsampwnam (sam_acct=0x992c410, username=0x992d928
"pfield") at passdb/pdb_interface.c:883
#21 0x0082b2ad in check_sam_security (auth_context=0x9878dd0,
my_private_data=0x0, mem_ctx=0x9924808, user_info=0x992d8b8,
server_info=0x992afc0)
    at auth/auth_sam.c:240
#22 0x0082c54a in check_samstrict_security (auth_context=0x9878dd0,
my_private_data=0x0, mem_ctx=0x0, user_info=0x992d8b8, server_info=0x0)
    at auth/auth_sam.c:372
#23 0x00829789 in check_ntlm_password (auth_context=0x9878dd0,
user_info=0x992d8b8, server_info=0x992afc0) at auth/auth.c:255
#24 0x0083372e in auth_ntlmssp_check_password (ntlmssp_state=0x992bd68,
user_session_key=0x0, lm_session_key=0x0) at auth/auth_ntlmssp.c:108
#25 0x00710a36 in ntlmssp_server_auth (ntlmssp_state=0x992bd68, request={data =
0x992c358 "NTLMSSP", length = 176, free = 0x7edc20 <free_data_blob>},
    reply=0xbfe41350) at libsmb/ntlmssp.c:663
#26 0x0070ff0a in ntlmssp_update (ntlmssp_state=0x992bd68, in={data = 0x992c358
"NTLMSSP", length = 176, free = 0x7edc20 <free_data_blob>},
out=0xbfe41350)
    at libsmb/ntlmssp.c:259
#27 0x00833aa6 in auth_ntlmssp_update (auth_ntlmssp_state=0x0, request={data =
0x992c358 "NTLMSSP", length = 176, free = 0x7edc20 <free_data_blob>},
    reply=0x0) at auth/auth_ntlmssp.c:187
#28 0x006b17a1 in reply_sesssetup_and_X_spnego (conn=0x0, inbuf=0xb7bc2008 "",
outbuf=0xb7ba1008 "", length=354, bufsize=131072) at smbd/sesssetup.c:504
#29 0x006b2eb2 in reply_sesssetup_and_X (conn=0x0, inbuf=0xb7bc2008 "",
outbuf=0xb7ba1008 "", length=354, bufsize=131072) at smbd/sesssetup.c:669
#30 0x006d95e2 in switch_message (type=115, inbuf=0xb7bc2008 "",
outbuf=0xb7ba1008 "", size=354, bufsize=0) at smbd/process.c:968
#31 0x006d9a1c in process_smb (inbuf=0xb7bc2008 "", outbuf=0xb7ba1008 "") at
smbd/process.c:998
#32 0x006da744 in smbd_process () at smbd/process.c:1560
#33 0x0086d057 in main (argc=2, argv=0xbfe44664) at smbd/server.c:900


Our openldap version is openldap-2.2.13-7.4E. I know that this is a redhat
package etc but I would like to know if this has already been fixed or not? If
it has been fixed can you let me know what version it was fixed in as I will
need to supply redhat with a patch.

Is anyone able to tell me how/why this occurs?

If you need more info please let me know

Thanks In Advance
Daniel

Followup 1

Date: Tue, 06 Nov 2007 15:37:30 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: dappleby@deakin.edu.au, openldap-its@openldap.org
Subject: Re: (ITS#5218) ber_get_next at /liblber/io.c:710

--On November 6, 2007 10:21:45 PM +0000 dappleby@deakin.edu.au wrote:
> Is anyone able to tell me how/why this occurs?

You made the mistake of using the RH ldap packages, that's why.

As to whether or not this has been fixed, please don't open up bug reports 
on obsolete versions of OpenLDAP.  Send your question to openldap-software, 
and maybe someone can help you there.  Personally I'd suggest using Buchan 
Milne's builds for RH or Symas's CDS packages.  Odds are though, it has 
been fixed.  2.2.13 is quite old, with 2.4.6 being the current release.

<http://staff.telkomsa.net/packages/>
<http://www.symas.com/>

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration