[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#3612) Segfault in libraries/libldap/result.c
Full_Name: James F. Hranicky
Version: 2.3.2beta
OS: Solaris 10 x86
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (128.227.205.52)
I'm using OpenLDAP 2.3.2beta as the DB for both a Samba domain
and a Heimdal realm. Once everything is up and running and I
use kadmin to list all the principals, I get a segfault:
# kadmin -l list '*'
zsh: segmentation fault (core dumped) kadmin -l list '*'
Here's the stack trace from gdb:
Program received signal SIGSEGV, Segmentation fault.
0xd0e3a580 in try_read1msg (ld=0x806ff98, msgid=5, all=1,
sb=0x8071590, lcp=0x8047620, result=0x80476f4) at result.c:866
(gdb) where
#0 0xd0e3a580 in try_read1msg (ld=0x806ff98, msgid=5, all=1,
sb=0x8071590, lcp=0x8047620, result=0x80476f4) at result.c:866
#1 0xd0e3979e in wait4msg (ld=0x806ff98, msgid=5, all=1,
timeout=0x0, result=0x80476f4) at result.c:343
#2 0xd0e3910f in ldap_result (ld=0x806ff98, msgid=5, all=1,
timeout=0x0, result=0x80476f4) at result.c:122
#3 0xd0e3c15b in ldap_search_s (ld=0x806ff98, base=0x8070198
"cn=ldapadmin,dc=cise,dc=ufl,dc=edu", scope=2, filter=0xd0f613e0
"(objectClass=krb5Principal)", attrs=0xd0f72720, attrsonly=0,
res=0x80476f4) at search.c:362
#4 0xd0f56687 in LDAP_dn2principal (context=0x806e040, db=0x806fe48,
dn=0x8070198 "cn=ldapadmin,dc=cise,dc=ufl,dc=edu", principal=0x8047804)
at hdb-ldap.c:770
#5 0xd0f5715c in LDAP_message2entry (context=0x806e040,
db=0x806fe48, msg=0x8071608, ent=0x80477f0) at hdb-ldap.c:1075
#6 0xd0f578a0 in LDAP_seq (context=0x806e040, db=0x806fe48, flags=0,
entry=0x80477f0) at hdb-ldap.c:1358
#7 0xd0f57ada in LDAP_nextkey (context=0x806e040, db=0x806fe48,
flags=0, entry=0x80477f0) at hdb-ldap.c:1433
#8 0xd0f5895f in hdb_foreach (context=0x806e040, db=0x806fe48,
flags=0, func=0xd0f85862 <foreach>, data=0x8047880) at hdb.c:161
#9 0xd0f85a13 in kadm5_s_get_principals (server_handle=0x806fd60,
exp=0x8047c42 "*", princs=0x80478f0, count=0x80478ec) at
get_princs_s.c:102
#10 0xd0fb3648 in kadm5_get_principals (server_handle=0x806fd60,
exp=0x8047c42 "*", princs=0x80478f0, count=0x80478ec) at
common_glue.c:126
#11 0x08058afc in foreach_principal (exp=0x8047c42 "*",
func=0x8054f9b <do_get_entry>, funcname=0x805b678 "get", data=0x8047920)
at util.c:505
#12 0x080553d8 in getit (opt=0x8047a30, name=0x805b67c "list",
argc=1, argv=0x8047b2c) at get.c:382
#13 0x08055487 in list_princs (opt=0x8047a30, argc=1, argv=0x8047b2c)
at get.c:405
#14 0x0805a6a8 in list_wrap (argc=3, argv=0x8047b24) at
kadmin-commands.c:495
#15 0xd0f31fae in sl_command (cmds=0x806dc20, argc=3, argv=0x8047b24)
at sl.c:234
#16 0x0805627c in main (argc=3, argv=0x8047b24) at kadmin.c:261
Checking out the code, I see that if l->lm_chain is not null, the
code checks structs of l->lm_chain_tail without first verifying
that lm_chain_tail is not null as well:
if (l->lm_chain == NULL) {
if ((l->lm_msgtype == LDAP_RES_SEARCH_ENTRY) ||
(l->lm_msgtype == LDAP_RES_SEARCH_REFERENCE) ||
(l->lm_msgtype == LDAP_RES_INTERMEDIATE)) {
/* do not advance lm_chain_tail in this case */
l->lm_chain = new;
} else {
/*FIXME: ldap_msgfree( l );*/
l = new;
l->lm_chain_tail = new;
}
} else {
=> if ((l->lm_chain_tail->lm_chain->lm_msgtype
== LDAP_RES_SEARCH_ENTRY) ||
(l->lm_chain_tail->lm_chain->lm_msgtype
== LDAP_RES_SEARCH_REFERENCE) ||
(l->lm_chain_tail->lm_chain->lm_msgtype
== LDAP_RES_INTERMEDIATE)) {
l->lm_chain_tail->lm_chain->lm_chain = new;
l->lm_chain_tail = l->lm_chain_tail->lm_chain;
} else {
/*FIXME: ldap_msgfree( l->lm_chain_tail->lm_chain );*/
l->lm_chain_tail->lm_chain = new;
}
}
The struct l looks like this:
3: *l = {lm_msgid = 2, lm_msgtype = 100, lm_ber = 0x8070920, lm_chain =
0x8071630,
lm_chain_tail = 0x0, lm_next = 0x0, lm_time = 0}
Code needs to be added to check for the possibility of a null lm_chain_tail.