Viewing Incoming/6667
Full headers

Major security issue: yes  no

Notes:
slapo-memberof need details
Notification:

Date: Thu, 07 Oct 2010 09:17:58 +0000
From: miguelangel@nbee.es
To: openldap-its@OpenLDAP.org
Subject: memberof infinite recursion on node rename

Full_Name: Miguel Angel Ajo Pelayo
Version: 2.4.23 stable
OS: Linux (Centos5)
URL: 
Submission from: (NULL) (95.16.169.142)


 I detected that my (compiled from source) openldap crashes on node
rename. I run gdb and detected an infinite (too big) recursion that seems to be
related with the "memberof" overlay.




This is the GDB / debug output:


>>> dnNormalize: <cn=aaa aaavzadadfa,dc=nbee,dc=es>
<<< dnNormalize: <cn=aaa aaavzadadfa,dc=nbee,dc=es>
bdb_modrdn: new ndn=cn=aaa aaavzadadfa,dc=nbee,dc=es
=> bdb_dn2id("cn=aaa aaavzadadfa,dc=nbee,dc=es")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30988)
=> bdb_dn2id_delete 0x11: "cn=aaa aaavzadadf,dc=nbee,dc=es"
<= bdb_dn2id_delete 0x11: 0
=> bdb_dn2id_add 0x11: "cn=aaa aaavzadadfa,dc=nbee,dc=es"
<= bdb_dn2id_add 0x11: 0
bdb_modify_internal: 0x00000011: cn=aaa aaavzadadfa,dc=nbee,dc=es
oc_check_required entry (cn=aaa aaavzadadfa,dc=nbee,dc=es),
objectClass "inetOrgPerson"
oc_check_required entry (cn=aaa aaavzadadfa,dc=nbee,dc=es),
objectClass "posixAccount"
oc_check_allowed type "givenName"
oc_check_allowed type "sn"
oc_check_allowed type "gidNumber"
oc_check_allowed type "uid"
oc_check_allowed type "uidNumber"
oc_check_allowed type "userPassword"
oc_check_allowed type "loginShell"
oc_check_allowed type "homeDirectory"
oc_check_allowed type "objectClass"
oc_check_allowed type "structuralObjectClass"
oc_check_allowed type "entryUUID"
oc_check_allowed type "creatorsName"
oc_check_allowed type "createTimestamp"
oc_check_allowed type "cn"
oc_check_allowed type "entryCSN"
oc_check_allowed type "modifiersName"
oc_check_allowed type "modifyTimestamp"
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(DELETE,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> key_change(ADD,11)
<= key_change 0
=> entry_encode(0x00000011): cn=aaa aaavzadadfa,dc=nbee,dc=es
<= entry_encode(0x00000011): cn=aaa aaavzadadfa,dc=nbee,dc=es
bdb_modrdn: rdn modified id=00000011 dn="cn=aaa aaavzadadf,dc=nbee,dc=es"
send_ldap_result: conn=1007 op=2 p=3

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb79e7b90 (LWP 11613)]
0x080eaf7e in over_op_func (op=0xb79e680c, rs=0xb79e67d0,
which=op_aux_chk_controls) at backover.c:713
713                     db = *op->o_bd;


#0  0x080eaf7e in over_op_func (op=0xb79e680c, rs=0xb79e67d0,
which=op_aux_chk_controls) at backover.c:713
#1  0x080eb21c in over_aux_chk_controls (op=0xb79e680c, rs=0xb79e67d0)
at backover.c:814
#2  0x0807bc38 in backend_check_restrictions (op=0xb79e680c,
rs=0xb79e67d0, opdata=0x0) at backend.c:1036
#3  0x0806e1fa in fe_op_search (op=0xb79e680c, rs=0xb79e67d0) at search.c:334
#4  0x080eae42 in overlay_op_walk (op=0xb79e680c, rs=0xb79e67d0,
which=op_search, oi=0x8304f40, on=0x0) at backover.c:669
#5  0x080eaff7 in over_op_func (op=0xb79e680c, rs=0xb79e67d0,
which=op_search) at backover.c:721
#6  0x080eb0a6 in over_op_search (op=0xb79e680c, rs=0xb79e67d0) at
backover.c:748
#7  0x0806e3a3 in fe_op_search (op=0xb79e680c, rs=0xb79e67d0) at search.c:366

[.......] A LOT of recursion...

#37385 0x080eaff7 in over_op_func (op=0xb79e680c, rs=0xb79e67d0,
which=op_search) at backover.c:721
#373

Followup 1

Date: Fri, 08 Oct 2010 10:07:47 +0200
From: Pierangelo Masarati <masarati@aero.polimi.it>
To: miguelangel@nbee.es
CC: openldap-its@openldap.org
Subject: Re: (ITS#6667) memberof infinite recursion on node rename

Can you provide a minimal example that triggers the problem?  You should 
boil it down to:

- the slapd.conf or the contents of the cn=config database
- the LDIF needed to populate the database
- the operation that causes the problem (I presume it's a modify or a 
write operation, so you should be able to provide it in form of LDIF and 
main parameters, e.g. the identity that is performing the operation).

Thanks, p.