Full_Name: Jan Vcelak Version: 2.5.25 OS: Linux URL: ftp://ftp.openldap.org/incoming/jvcelak-20110622-ldif-split-indent-segfault-2.patch Submission from: (NULL) (209.132.186.34) Hello, input LDIF file with splitted lines which are indented incorrectly causes SEGFAULT of a client tool. Let me show: $ cat /tmp/invalid.ldif dn: cn=B,dc=my-domain, dc=com objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: top cn: B sn: B uid: B mail: b@example.org $ ldapmodify -a -x -f /tmp/invalid.ldif -d2048 ldif_parse_line: missing ':' after dc=com ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain," Segmentation fault (core dumped) (gdb) bt full #0 __strcasecmp_l_ssse3 () at ../sysdeps/x86_64/strcmp.S:214 No locals. #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, ctx=0x0) at ldifutil.c:399 fv = 0 line = 0x668627 "dc=com" dn = 0x668614 "cn=B,dc=my-domain," rc = -9 modop = 0 expect_modop = 0 expect_sep = 0 ldapadd = 1 new_entry = 1 delete_entry = 0 got_all = 0 pmods = 0x6697e8 version = 0 pctrls = 0x0 i = 1 j = 0 k = -1 idn = 1 nmods = 1 bvl = 0x6697f8 bv = {bv_len = 0, bv_val = 0x0} __PRETTY_FUNCTION__ = "ldap_parse_ldif_record_x" #2 0x000000000042e524 in ldap_parse_ldif_record (rbuf=0x7fffffffdbb0, linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1) at ldifutil.c:565 No locals. #3 0x0000000000406ff8 in process_ldif_rec (rbuf=0x668610 "dn", linenum=1) at ldapmodify.c:404 lr = {lr_op = 0, lr_dn = {bv_len = 18, bv_val = 0x668614 "cn=B,dc=my-domain,"}, lr_ctrls = 0x0, ldif_ops = {lr_mods = 0x0, ldif_op_rename = {lr_newrdn = {bv_len = 0, bv_val = 0x0}, lr_newsuperior = {bv_len = 0, bv_val = 0x0}, lr_deleteoldrdn = 0}, ldif_op_ext = {lr_extop_oid = {bv_len = 0, bv_val = 0x0}, lr_extop_data = { bv_len = 0, bv_val = 0x0}}, ldif_op_cmp = {lr_cmp_attr = {bv_len = 0, bv_val = 0x0}, lr_cmp_bvalue = {bv_len = 0, bv_val = 0x0}}}, lr_ctx = 0x0, lr_lines = 2, lr_lm = 0x6697d0, lr_mops = 0x0, lr_freeval = 0x6699e0 "", lr_vals = 0x669930, lr_btype = 0x669880} lrflags = 1 rc = 0 rbuf_bv = {bv_len = 0, bv_val = 0x66862e "objectclass: inetOrgPerson\nobjectclass: organizationalPerson\nobjectclass: person\nobjectclass: top\ncn: B\nsn: B\nuid: B\nmail: b@example.org\n"} #4 0x0000000000406cb7 in main (argc=6, argv=0x7fffffffdd98) at ldapmodify.c:316 rbuf = 0x668610 "dn" rejbuf = 0x0 rejfp = 0x0 ldiffp = 0x6600a0 ldifdummy = {fp = 0x0, prev = 0x0} matched_msg = 0x448790 "H\211l$\330L\211d$\340H\215-\003\060!" error_msg = 0x8000 <Address 0x8000 out of bounds> rc = 0 retval = 0 ldifrc = 1 len = 4491152 i = 0 lineno = 1 nextline = 11 lmax = 4119 c = {{ldctl_oid = 0x7fe0f05 <Address 0x7fe0f05 out of bounds>, ldctl_value = {bv_len = 5044973646, bv_val = 0x0}, ldctl_iscritical = 0 '\000'}} (gdb) frame 1 #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, ctx=0x0) at ldifutil.c:399 399 if ( !BV_CASEMATCH( lr->lr_btype+i, &bv )) { (gdb) p *(lr->lr_btype+1) $1 = {bv_len = 0, bv_val = 0x668627 "dc=com"} (gdb) bv_len is set incorrectly to zero and therefore the string will be compared against bv, which is a "null string". I have uploaded patch to address this issue. With the patch applied, the output is following: ./ldapmodify -a -x -f /tmp/invalid.ldif -d2048 ldif_parse_line: missing ':' after dc=com ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain,"
jvcelak@redhat.com wrote: > Full_Name: Jan Vcelak > Version: 2.5.25 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/jvcelak-20110622-ldif-split-indent-segfault-2.patch > Submission from: (NULL) (209.132.186.34) > > > Hello, > > input LDIF file with splitted lines which are indented incorrectly causes > SEGFAULT of a client tool. Let me show: Your example doesn't SEGV for me. Anyway, I've committed a different patch to master for this issue. > > $ cat /tmp/invalid.ldif > dn: cn=B,dc=my-domain, > dc=com > objectclass: inetOrgPerson > objectclass: organizationalPerson > objectclass: person > objectclass: top > cn: B > sn: B > uid: B > mail: b@example.org > > $ ldapmodify -a -x -f /tmp/invalid.ldif -d2048 > ldif_parse_line: missing ':' after dc=com > ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain," > Segmentation fault (core dumped) > > > (gdb) bt full > #0 __strcasecmp_l_ssse3 () at ../sysdeps/x86_64/strcmp.S:214 > No locals. > #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, > linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, > ctx=0x0) at ldifutil.c:399 > fv = 0 > line = 0x668627 "dc=com" > dn = 0x668614 "cn=B,dc=my-domain," > rc = -9 > modop = 0 > expect_modop = 0 > expect_sep = 0 > ldapadd = 1 > new_entry = 1 > delete_entry = 0 > got_all = 0 > pmods = 0x6697e8 > version = 0 > pctrls = 0x0 > i = 1 > j = 0 > k = -1 > idn = 1 > nmods = 1 > bvl = 0x6697f8 > bv = {bv_len = 0, bv_val = 0x0} > __PRETTY_FUNCTION__ = "ldap_parse_ldif_record_x" > #2 0x000000000042e524 in ldap_parse_ldif_record (rbuf=0x7fffffffdbb0, > linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1) at > ldifutil.c:565 > No locals. > #3 0x0000000000406ff8 in process_ldif_rec (rbuf=0x668610 "dn", linenum=1) at > ldapmodify.c:404 > lr = {lr_op = 0, lr_dn = {bv_len = 18, bv_val = 0x668614 > "cn=B,dc=my-domain,"}, lr_ctrls = 0x0, ldif_ops = {lr_mods = 0x0, ldif_op_rename > = {lr_newrdn = {bv_len = 0, > bv_val = 0x0}, lr_newsuperior = {bv_len = 0, bv_val = 0x0}, > lr_deleteoldrdn = 0}, ldif_op_ext = {lr_extop_oid = {bv_len = 0, bv_val = 0x0}, > lr_extop_data = { > bv_len = 0, bv_val = 0x0}}, ldif_op_cmp = {lr_cmp_attr = {bv_len > = 0, bv_val = 0x0}, lr_cmp_bvalue = {bv_len = 0, bv_val = 0x0}}}, lr_ctx = 0x0, > lr_lines = 2, > lr_lm = 0x6697d0, lr_mops = 0x0, lr_freeval = 0x6699e0 "", lr_vals = > 0x669930, lr_btype = 0x669880} > lrflags = 1 > rc = 0 > rbuf_bv = {bv_len = 0, > bv_val = 0x66862e "objectclass: inetOrgPerson\nobjectclass: > organizationalPerson\nobjectclass: person\nobjectclass: top\ncn: B\nsn: B\nuid: > B\nmail: b@example.org\n"} > #4 0x0000000000406cb7 in main (argc=6, argv=0x7fffffffdd98) at > ldapmodify.c:316 > rbuf = 0x668610 "dn" > rejbuf = 0x0 > rejfp = 0x0 > ldiffp = 0x6600a0 > ldifdummy = {fp = 0x0, prev = 0x0} > matched_msg = 0x448790 "H\211l$\330L\211d$\340H\215-\003\060!" > error_msg = 0x8000<Address 0x8000 out of bounds> > rc = 0 > retval = 0 > ldifrc = 1 > len = 4491152 > i = 0 > lineno = 1 > nextline = 11 > lmax = 4119 > c = {{ldctl_oid = 0x7fe0f05<Address 0x7fe0f05 out of bounds>, > ldctl_value = {bv_len = 5044973646, bv_val = 0x0}, ldctl_iscritical = 0 > '\000'}} > (gdb) frame 1 > #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, > linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, > ctx=0x0) at ldifutil.c:399 > 399 if ( !BV_CASEMATCH( lr->lr_btype+i,&bv )) { > (gdb) p *(lr->lr_btype+1) > $1 = {bv_len = 0, bv_val = 0x668627 "dc=com"} > (gdb) > > bv_len is set incorrectly to zero and therefore the string will be compared > against bv, which is a "null string". > > I have uploaded patch to address this issue. > > With the patch applied, the output is following: > > ./ldapmodify -a -x -f /tmp/invalid.ldif -d2048 > ldif_parse_line: missing ':' after dc=com > ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain," > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
jvcelak@redhat.com wrote: > Full_Name: Jan Vcelak > Version: 2.5.25 There is no OpenLDAP version 2.5. > OS: Linux > URL: ftp://ftp.openldap.org/incoming/jvcelak-20110622-ldif-split-indent-segfault-2.patch > Submission from: (NULL) (209.132.186.34) > > > Hello, > > input LDIF file with splitted lines which are indented incorrectly causes > SEGFAULT of a client tool. Let me show: > > $ cat /tmp/invalid.ldif > dn: cn=B,dc=my-domain, > dc=com > objectclass: inetOrgPerson > objectclass: organizationalPerson > objectclass: person > objectclass: top > cn: B > sn: B > uid: B > mail: b@example.org > > $ ldapmodify -a -x -f /tmp/invalid.ldif -d2048 > ldif_parse_line: missing ':' after dc=com > ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain," > Segmentation fault (core dumped) > > > (gdb) bt full > #0 __strcasecmp_l_ssse3 () at ../sysdeps/x86_64/strcmp.S:214 > No locals. > #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, > linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, > ctx=0x0) at ldifutil.c:399 There is no file ldifutil.c in OpenLDAP 2.4. I don't know what you're testing against, but this bug report appears invalid. Closing. > fv = 0 > line = 0x668627 "dc=com" > dn = 0x668614 "cn=B,dc=my-domain," > rc = -9 > modop = 0 > expect_modop = 0 > expect_sep = 0 > ldapadd = 1 > new_entry = 1 > delete_entry = 0 > got_all = 0 > pmods = 0x6697e8 > version = 0 > pctrls = 0x0 > i = 1 > j = 0 > k = -1 > idn = 1 > nmods = 1 > bvl = 0x6697f8 > bv = {bv_len = 0, bv_val = 0x0} > __PRETTY_FUNCTION__ = "ldap_parse_ldif_record_x" > #2 0x000000000042e524 in ldap_parse_ldif_record (rbuf=0x7fffffffdbb0, > linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1) at > ldifutil.c:565 > No locals. > #3 0x0000000000406ff8 in process_ldif_rec (rbuf=0x668610 "dn", linenum=1) at > ldapmodify.c:404 > lr = {lr_op = 0, lr_dn = {bv_len = 18, bv_val = 0x668614 > "cn=B,dc=my-domain,"}, lr_ctrls = 0x0, ldif_ops = {lr_mods = 0x0, ldif_op_rename > = {lr_newrdn = {bv_len = 0, > bv_val = 0x0}, lr_newsuperior = {bv_len = 0, bv_val = 0x0}, > lr_deleteoldrdn = 0}, ldif_op_ext = {lr_extop_oid = {bv_len = 0, bv_val = 0x0}, > lr_extop_data = { > bv_len = 0, bv_val = 0x0}}, ldif_op_cmp = {lr_cmp_attr = {bv_len > = 0, bv_val = 0x0}, lr_cmp_bvalue = {bv_len = 0, bv_val = 0x0}}}, lr_ctx = 0x0, > lr_lines = 2, > lr_lm = 0x6697d0, lr_mops = 0x0, lr_freeval = 0x6699e0 "", lr_vals = > 0x669930, lr_btype = 0x669880} > lrflags = 1 > rc = 0 > rbuf_bv = {bv_len = 0, > bv_val = 0x66862e "objectclass: inetOrgPerson\nobjectclass: > organizationalPerson\nobjectclass: person\nobjectclass: top\ncn: B\nsn: B\nuid: > B\nmail: b@example.org\n"} > #4 0x0000000000406cb7 in main (argc=6, argv=0x7fffffffdd98) at > ldapmodify.c:316 > rbuf = 0x668610 "dn" > rejbuf = 0x0 > rejfp = 0x0 > ldiffp = 0x6600a0 > ldifdummy = {fp = 0x0, prev = 0x0} > matched_msg = 0x448790 "H\211l$\330L\211d$\340H\215-\003\060!" > error_msg = 0x8000<Address 0x8000 out of bounds> > rc = 0 > retval = 0 > ldifrc = 1 > len = 4491152 > i = 0 > lineno = 1 > nextline = 11 > lmax = 4119 > c = {{ldctl_oid = 0x7fe0f05<Address 0x7fe0f05 out of bounds>, > ldctl_value = {bv_len = 5044973646, bv_val = 0x0}, ldctl_iscritical = 0 > '\000'}} > (gdb) frame 1 > #1 0x000000000042d9f3 in ldap_parse_ldif_record_x (rbuf=0x7fffffffdbb0, > linenum=1, lr=0x7fffffffdb30, errstr=0x7fffffffe197 "ldapmodify", flags=1, > ctx=0x0) at ldifutil.c:399 > 399 if ( !BV_CASEMATCH( lr->lr_btype+i,&bv )) { > (gdb) p *(lr->lr_btype+1) > $1 = {bv_len = 0, bv_val = 0x668627 "dc=com"} > (gdb) > > bv_len is set incorrectly to zero and therefore the string will be compared > against bv, which is a "null string". > > I have uploaded patch to address this issue. > > With the patch applied, the output is following: > > ./ldapmodify -a -x -f /tmp/invalid.ldif -d2048 > ldif_parse_line: missing ':' after dc=com > ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain," > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed state Open to Closed
On Thursday 23 June 2011 22:41:20, Howard Chu wrote: > jvcelak@redhat.com wrote: > > Full_Name: Jan Vcelak > > Version: 2.5.25 > > There is no OpenLDAP version 2.5. This is a typo. I mean 2.4.25. (But it an older issue, it was reported in RH bugzilla against 2.4.23.) > There is no file ldifutil.c in OpenLDAP 2.4. > > I don't know what you're testing against, but this bug report appears > invalid. Closing. $ find -name ldifutil.c ./libraries/libldap/ldifutil.c ./libraries/libldap_r/ldifutil.c Tested against git master branch. > Your example doesn't SEGV for me. Anyway, I've committed a different patch > to master for this issue. Strange... Fedora Linux 15, 64bit. And clearly an uninitialized memory was accessed. But your fix is fine and works for me. Thank you. Jan
Jan Vcelak wrote: > On Thursday 23 June 2011 22:41:20, Howard Chu wrote: >> jvcelak@redhat.com wrote: >>> Full_Name: Jan Vcelak >>> Version: 2.5.25 >> >> There is no OpenLDAP version 2.5. > > This is a typo. I mean 2.4.25. (But it an older issue, it was reported in RH > bugzilla against 2.4.23.) > >> There is no file ldifutil.c in OpenLDAP 2.4. >> >> I don't know what you're testing against, but this bug report appears >> invalid. Closing. > > $ find -name ldifutil.c > ./libraries/libldap/ldifutil.c > ./libraries/libldap_r/ldifutil.c > > Tested against git master branch. Read again what I wrote. There is no file ldifutil.c in OpenLDAP 2.4. git master is not the same as the 2.4 releases. >> Your example doesn't SEGV for me. Anyway, I've committed a different patch >> to master for this issue. > > Strange... Fedora Linux 15, 64bit. And clearly an uninitialized memory was > accessed. But your fix is fine and works for me. > > Thank you. > > Jan > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Friday 24 June 2011 09:11:41, Howard Chu wrote: > >> There is no file ldifutil.c in OpenLDAP 2.4. > >> > >> I don't know what you're testing against, but this bug report appears > >> invalid. Closing. > > > > $ find -name ldifutil.c > > ./libraries/libldap/ldifutil.c > > ./libraries/libldap_r/ldifutil.c > > > > Tested against git master branch. > > Read again what I wrote. There is no file ldifutil.c in OpenLDAP 2.4. git > master is not the same as the 2.4 releases. Ouch, sorry. Then it is fixed only in master, not in RE24 (7cac590). $ ./ldapmodify -a -x -f /tmp/invalid.ldif -d2048 ldif_parse_line: missing ':' after dc=com ldapmodify: invalid format (line 2) entry: "cn=B,dc=my-domain," Segmentation fault (core dumped) (gdb) bt #0 __strcasecmp_l_ssse3 () at ../sysdeps/x86_64/strcmp.S:214 #1 0x000000000040789c in process_ldif_rec (rbuf=0x67464e "objectclass: inetOrgPerson\nobjectclass: organizationalPerson\nobjectclass: person\nobjectclass: top\ncn: B\nsn: B\nuid: B\nmail: b@example.org\n", linenum=1) at ldapmodify.c:655 #2 0x00000000004067d5 in main (argc=6, argv=0x7fffffffdd88) at ldapmodify.c:335
changed notes changed state Closed to Release moved from Incoming to Software Bugs
changed notes changed state Release to Closed
fixed in RE24 fixed in master