OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/8759
Full headers

From: zhixu.liu@gmail.com
Subject: mixed overlay nops & memberof cause segfault
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 20 Oct 2017 16:13:33 +0000
From: zhixu.liu@gmail.com
To: openldap-its@OpenLDAP.org
Subject: mixed overlay nops & memberof cause segfault
Full_Name: Z. Liu
Version: 2.4.44
OS: Gentoo
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (221.218.169.84)


if we enable overlay nops & memberof together, then doing a member MODDN
operation, slapd will segfault and exit immediately.

Example operation:

dn: uid=test,ou=People,dc=example,dc=dc=com
changetype: moddn
newrdn: uid=chenln
deleteoldrdn: 1
newsuperior: ou=Leave,dc=example,dc=com

The reason is: in servers/slapd/overlays/memberof.c, function
memberof_value_modify define mod/values/nvalues in the stack, which will be
passed to other overlays, nops will try to free them if no attribute is changed.

Followup 1

Download message
From: "=?utf-8?B?5YiY5b+X5pet?=" <liuzx@knownsec.com>
To: "=?utf-8?B?b3BlbmxkYXAtaXRz?=" <openldap-its@OpenLDAP.org>
Subject: Re: (ITS#8759) mixed overlay nops & memberof cause segfault
Date: Fri, 15 Dec 2017 17:44:24 +0800
IyBtb3JlIC9ldGMvb3BlbmxkYXAvc2xhcGQuY29uZg0KaW5jbHVkZSAgICAgICAgL2V0Yy9v
cGVubGRhcC9zY2hlbWEvY29yZS5zY2hlbWENCmluY2x1ZGUgICAgICAgIC9ldGMvb3Blbmxk
YXAvc2NoZW1hL2Nvc2luZS5zY2hlbWENCmluY2x1ZGUgICAgICAgIC9ldGMvb3BlbmxkYXAv
c2NoZW1hL2luZXRvcmdwZXJzb24uc2NoZW1hDQppbmNsdWRlICAgICAgICAvZXRjL29wZW5s
ZGFwL3NjaGVtYS9yZmMyMzA3YmlzLnNjaGVtYQ0KDQpwaWRmaWxlICAgICAgICAvcnVuL29w
ZW5sZGFwL3NsYXBkLnBpZA0KYXJnc2ZpbGUgICAgICAgL3J1bi9vcGVubGRhcC9zbGFwZC5h
cmdzDQoNCm1vZHVsZWxvYWQgICAgIG1lbWJlcm9mLnNvDQptb2R1bGVsb2FkICAgICBub3Bz
LW92ZXJsYXkuc28NCg0KZGF0YWJhc2UgICAgICAgaGRiDQpzdWZmaXggICAgICAgICAibz1k
ZW1vLGM9Y24iDQpyb290ZG4gICAgICAgICAiY249cm9vdCxvPWRlbW8sYz1jbiINCnJvb3Rw
dyAgICAgICAgICIxMjM0NTYiDQpkaXJlY3RvcnkgICAgICAvdmFyL2xpYi9vcGVubGRhcC1k
YXRhLw0KDQpvdmVybGF5IG1lbWJlcm9mDQptZW1iZXJvZi1ncm91cC1vYyBncm91cE9mTWVt
YmVycw0KbWVtYmVyb2YtcmVmaW50ICAgdHJ1ZQ0KDQpvdmVybGF5IG5vcHMNCg0KIyBtb3Jl
IC90bXAvMS5sZGlmDQpkbjogbz1kZW1vLGM9Y24NCm86IGRlbW8NCm9iamVjdENsYXNzOiBv
cmdhbml6YXRpb24NCnN0cnVjdHVyYWxPYmplY3RDbGFzczogb3JnYW5pemF0aW9uDQoNCmRu
OiBvdT1Hcm91cCxvPWRlbW8sYz1jbg0Kb2JqZWN0Q2xhc3M6IG9yZ2FuaXphdGlvbmFsVW5p
dA0Kb3U6IEdyb3VwDQoNCmRuOiBvdT1QZW9wbGUsbz1kZW1vLGM9Y24NCm9iamVjdENsYXNz
OiBvcmdhbml6YXRpb25hbFVuaXQNCm91OiBQZW9wbGUNCg0KZG46IG91PUxlYXZlLG89ZGVt
byxjPWNuDQpvYmplY3RDbGFzczogb3JnYW5pemF0aW9uYWxVbml0DQpvdTogTGVhdmUNCg0K
ZG46IHVpZD1saXV6eCxvdT1QZW9wbGUsbz1kZW1vLGM9Y24NCmdpZE51bWJlcjogMjAwMDAN
Cm9iamVjdENsYXNzOiBwb3NpeEFjY291bnQNCm9iamVjdENsYXNzOiBpbmV0T3JnUGVyc29u
DQpzdHJ1Y3R1cmFsT2JqZWN0Q2xhc3M6IGluZXRPcmdQZXJzb24NCnVpZE51bWJlcjogMTAw
MDANCnVpZDogbGl1engNCmhvbWVEaXJlY3Rvcnk6IC9ob21lL3VzZXJzL2xpdXp4DQpzbjog
TGl1DQpjbjogWi4gTGl1DQptZW1iZXJPZjogY249dXNlcnMsb3U9R3JvdXAsbz1kZW1vLGM9
Y24NCm1vYmlsZTogMTM5MTA4MjM0NzUNCg0KZG46IGNuPXVzZXJzLG91PUdyb3VwLG89ZGVt
byxjPWNuDQpvYmplY3RDbGFzczogZ3JvdXBPZk1lbWJlcnMNCmNuOiB1c2Vycw0KbWVtYmVy
OiB1aWQ9bGl1engsb3U9UGVvcGxlLG89ZGVtbyxjPWNuDQoNCiMgc3VkbyAtdSBsZGFwIHNs
YXBhZGQgLWwgMS5sZGlmDQojIHNlcnZpY2Ugc2xhcGQgc3RhcnQNCiMgcHMgfCBncmVwIHNs
YXBkICMgY29uZmlybSBzbGFwZCBpcyBydW5uaW5nDQojIG1vcmUgfi90LmxkaWYNCmRuOiB1
aWQ9bGl1engsb3U9UGVvcGxlLG89ZGVtbyxjPWNuDQpjaGFuZ2V0eXBlOiBtb2Rkbg0KbmV3
cmRuOiB1aWQ9bGl1engNCmRlbGV0ZW9sZHJkbjogMQ0KbmV3c3VwZXJpb3I6IG91PUxlYXZl
LG89ZGVtbyxjPWNuDQoNCiMgbGRhcG1vZGlmeSAtSCBsZGFwOi8vMTI3LjAuMC4xIC1EICdj
bj1yb290LG89ZGVtbyxjPWNuJyAtdyAxMjM0NTYgIC1mIHQubGRpZg0KbW9kaWZ5aW5nIHJk
biBvZiBlbnRyeSAidWlkPWxpdXp4LG91PVBlb3BsZSxvPWRlbW8sYz1jbiINCmxkYXBfcmVz
dWx0OiBDYW4ndCBjb250YWN0IExEQVAgc2VydmVyICgtMSkNCg0KIyBwcyB8IGdyZXAgc2xh
cGQgIyBjb25maXJtIHNsYXBkIGlzIGdvbmUNCg0Kc29tZXRpbWVzIGRtZXNnIGNhbiBzZWUg
a2VybmVsIGxvZzoNCnRyYXBzOiBzbGFwZFsyNTU2MF0gZ2VuZXJhbCBwcm90ZWN0aW9uIGlw
OjdmYWJmNjBiMGU3MiBzcDo3ZmFiZDk2OWJmZDAgZXJyb3I6MCBpbiBsaWJjLTIuMjMuc29b
N2ZhYmY2MDY4MDAwKzE5ZjAwMF0NCnNsYXBkWzI2NDM3XTogc2VnZmF1bHQgYXQgNzM3MjY1
NjI2ZDgxIGlwIDAwMDAwMDAwMDA0YWE0ZDAgc3AgMDAwMDdmNjNjMmM3OTcxMCBlcnJvciA0
IGluIHNsYXBkWzQwMDAwMCsxNWEwMDBd






Followup 2

Download message
Subject: Re: (ITS#8759) mixed overlay nops & memberof cause segfault
To: zhixu.liu@gmail.com, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Fri, 6 Jul 2018 21:07:24 +0100
zhixu.liu@gmail.com wrote:
> Full_Name: Z. Liu
> Version: 2.4.44
> OS: Gentoo
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (221.218.169.84)
> 
> 
> if we enable overlay nops & memberof together, then doing a member
MODDN
> operation, slapd will segfault and exit immediately.
> 
> Example operation:
> 
> dn: uid=test,ou=People,dc=example,dc=dc=com
> changetype: moddn
> newrdn: uid=chenln
> deleteoldrdn: 1
> newsuperior: ou=Leave,dc=example,dc=com
> 
> The reason is: in servers/slapd/overlays/memberof.c, function
> memberof_value_modify define mod/values/nvalues in the stack, which will be
> passed to other overlays, nops will try to free them if no attribute is
changed.

Note that code in contrib is unsupported and is not actually part of OpenLDAP 
Software. You can either contact the nops author and ask them for a fix, or 
you're welcome to submit a fix yourself. Nobody in the OpenLDAP Project is 
going to investigate this issue.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org