Issue 6958 - slapd segmentation fault with TLSCRLCheck all
Summary: slapd segmentation fault with TLSCRLCheck all
Status: VERIFIED WORKSFORME
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.25
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: Quanah Gibson-Mount
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-27 06:43 UTC by tiamat@komi.mts.ru
Modified: 2020-03-27 01:38 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description tiamat@komi.mts.ru 2011-05-27 06:43:36 UTC 
Full_Name: Alex Deiter
Version: 2.4.25
OS: FreeBSD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (217.66.145.56)


FreeBSD x86 and amd64, OpenLDAP 2.4.25 configure option:

$ ./configure --with-threads=posix --with-tls=openssl
--disable-dependency-tracking --enable-dynamic --with-cyrus-sasl
--enable-modules --localstatedir=/var/db --enable-crypt --enable-lmpasswd
--enable-ldap=mod --enable-meta=mod --enable-rewrite --enable-null=mod
--enable-monitor=mod --enable-accesslog --enable-auditlog --enable-collect
--enable-constraint --enable-dds --enable-deref --enable-dyngroup
--enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache
--enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-sssvlv
--enable-syncprov --enable-translucent --enable-unique --enable-valsort
--enable-bdb=mod --enable-hdb=mod --enable-spasswd --enable-slapi
--enable-wrappers --prefix=/usr/local --mandir=/usr/local/man
--infodir=/usr/local/info/ --build=i386-portbld-freebsd9.0

slapindex segmentation fault when option TLSCRLCheck all is used in slapd.conf:

TLSCACertificatePath    /etc/ssl
TLSCACertificateFile    /etc/ssl/ca.crt
TLSCertificateKeyFile   /etc/ssl/server.key
TLSCertificateFile      /etc/ssl/server.crt
TLSVerifyClient         allow
TLSCRLCheck             all

# slapindex -v
Segmentation fault (core dumped)
# gdb /usr/local/libexec/slapd /var/tmp/slapd-49225.core 
...
(gdb) bt
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
#1  0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485
#2  0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8
#3  0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8
#4  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#5  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#6  0xbfbfea38 in ?? ()
#7  0x281a9100 in dlinfo () from /libexec/ld-elf.so.1
#8  0x281a9260 in dlclose () from /libexec/ld-elf.so.1
#9  0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2
#10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2
#11 0x080c7a3b in slap_sasl_destroy ()
#12 0x080a4d3d in slap_destroy ()
#13 0x080e4553 in slap_tool_destroy ()
#14 0x080e6147 in slapindex ()
#15 0x0805b665 in main ()
(gdb) f 0
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
1515                    next = ludp->lud_next;

also slapd segmentation fault when slapd service stopped:

(gdb) bt
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
#1  0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485
#2  0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8
#3  0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8
#4  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#5  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#6  0xbfbfe9f8 in ?? ()
#7  0x281a9100 in dlinfo () from /libexec/ld-elf.so.1
#8  0x281a9260 in dlclose () from /libexec/ld-elf.so.1
#9  0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2
#10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2
#11 0x080c7a3b in slap_sasl_destroy ()
#12 0x080a4d3d in slap_destroy ()
#13 0x0805bc92 in main ()
(gdb) f 0
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
1515                    next = ludp->lud_next;

without TLSCRLCheck all option in slapd.conf/ldap.conf slapd work fine, but
without the CRL we can't authenticate clients on their certificates ;-(

ldap.conf:
TLS_CACERT      /etc/ssl/ca.crt
TLS_CACERTDIR   /etc/ssl
TLS_REQCERT     demand
TLS_CRLCHECK    all
URI             ldaps://server.domain.ru
BASE            dc=domain,dc=ru
RESTART         yes
VERSION         3
SIZELIMIT       0
TIMELIMIT       0
TIMEOUT         30
NETWORK_TIMEOUT 30

slapd.conf:
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/dhcp.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/sendmail.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCACertificatePath    /etc/ssl
TLSCACertificateFile    /etc/ssl/ca.crt
TLSCertificateKeyFile   /etc/ssl/server.key
TLSCertificateFile      /etc/ssl/server.crt
TLSVerifyClient         allow
TLSCRLCheck             all

allow           bind_v2
sizelimit       -1
timelimit       -1

modulepath      /usr/local/libexec/openldap
moduleload      back_hdb

database        hdb
cachesize       1024
directory       /var/db/openldap-data
dbconfig        set_cachesize 0 67108864 1
dbconfig        set_lg_regionmax 262144
dbconfig        set_lg_bsize 2097152
suffix          "dc=domain,dc=ru"
rootdn          "cn=manager,dc=domain,dc=ru"
rootpw          "passwd"

index   objectClass                     eq

access to * by * read

sasl-authz-policy to

sasl-regexp gidNumber=(.*)\\+uidNumber=0,cn=peercred,cn=external,cn=auth
        "cn=manager,dc=domain,dc=ru"

sasl-regexp gidNumber=60\\+uidNumber=60,cn=peercred,cn=external,cn=auth
        "cn=manager,dc=domain,dc=ru"

sasl-regexp gidNumber=(.*)\\+uidNumber=(.*),cn=peercred,cn=external,cn=auth
        ldap:///dc=domain,dc=ru??sub?(&(gidNumber=$1)(uidNumber=$2))

sasl-regexp uid=(.*),cn=(.*),cn=auth
        ldap:///dc=domain,dc=ru??sub?(uid=$1)
Comment 1 Howard Chu 2011-06-03 18:37:35 UTC 
Can't reproduce this on Linux. Someone with a FreeBSD installation will have to
investigate this.
Comment 2 Howard Chu 2011-06-03 18:37:52 UTC 
changed state Open to Feedback
Comment 3 Quanah Gibson-Mount 2017-04-12 15:15:09 UTC 
changed state Feedback to Open
moved from Incoming to Software Bugs
Comment 4 Quanah Gibson-Mount 2020-03-20 05:19:06 UTC 
I have a freebsd box I can examine this with.
Comment 5 Quanah Gibson-Mount 2020-03-27 01:38:49 UTC 
Unable to reproduce on FreeBSD 12.1 patch level 3

include         ./schema/core.schema
include         ./schema/cosine.schema
include         ./schema/corba.schema
include         ./schema/java.schema
include         ./schema/inetorgperson.schema
include         ./schema/misc.schema
include         ./schema/nis.schema
include         ./schema/openldap.schema
include         ./schema/duaconf.schema
include         ./schema/dyngroup.schema

pidfile         /home/build/git/openldap/tests/testrun/slapd.1.pid
argsfile        /home/build/git/openldap/tests/testrun/slapd.1.args

TLSCACertificatePath    /home/build/git/openldap/tests/testrun/tls/ca/certs/
TLSCACertificateFile    /home/build/git/openldap/tests/testrun/tls/ca/certs/testsuiteCA.crt
TLSCertificateKeyFile /home/build/git/openldap/tests/testrun/tls/private/localhost.key
TLSCertificateFile /home/build/git/openldap/tests/testrun/tls/certs/localhost.crt
TLSVerifyClient         allow
TLSCRLCheck             all



 ../servers/slapd/slapindex -f testrun/slapd.1.conf -v
[build@freebsd12 ~/git/openldap/tests]$ echo $?
0