[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4364) syncrepl consumer logfilter can cause DOS on provider
This is now fixed in CVS HEAD, thanks for the report.
Frank.Swasey@uvm.edu wrote:
> Full_Name: Francis Swasey
> Version: 2.3.18
> OS: Red Hat Enterprise Linux v4
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (132.198.45.127)
>
>
> Defining a logfilter which is illegal (such as the following:
>
> logfilter="(&(objectclass=auditWriteObject)(reqResult=0)(reqDN=*,dc=edu))"
>
> ) will cause the syncrepl provider using the accesslog overlay to log the
> illegal filter and upon the first update the send_ldap_result attempting to send
> the information to the consumer will cause a segmentation fault.
>
> Here is an excerpt from the typescript of running slapd -d -1 on the provider to
> demonstrate:
>
> conn=1 op=1 SRCH base="cn=accesslog" scope=2 deref=0
> filter="(&(objectClass=audi
> tWriteObject)(reqResult=0)(?=undefined))"
> conn=1 op=1 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN
> reqNewSuper
> ior entryCSN
> slap_global_control: unavailable control: 1.3.6.1.4.1.4203.1.9.1.1
> ==> limits_get: conn=1 op=1 dn="cn=syncuser,dc=uvm,dc=edu"
> <== limits_get: type=DN match=EXACT dn="cn=syncuser,dc=uvm,dc=edu"
> => hdb_search
> bdb_dn2entry("cn=accesslog")
> base_candidates: base: "cn=accesslog" (0x00000001)
> => test_filter
> PRESENT
> => access_allowed: search access to "cn=accesslog" "objectClass" requested
> => acl_get: [1] attr objectClass
> => acl_mask: access to entry "cn=accesslog", attr "objectClass" requested
> => acl_mask: to all values by "cn=syncuser,dc=uvm,dc=edu", (=0)
> <= check a_dn_pat: cn=replicator,dc=uvm,dc=edu
> <= check a_dn_pat: cn=syncuser,dc=uvm,dc=edu
> <= acl_mask: [2] applying read(=rscxd) (stop)
> <= acl_mask: [2] mask: read(=rscxd)
> => access_allowed: search access granted by read(=rscxd)
> <= test_filter 6
> send_ldap_result: conn=1 op=1 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_result: conn=1 op=1 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_intermediate: err=0 oid=1.3.6.1.4.1.4203.1.9.1.4 len=48
> send_ldap_response: msgid=2 tag=121 err=0
> ber_flush: 83 bytes to sd 21
> ...
> conn=1 op=1 INTERM oid=1.3.6.1.4.1.4203.1.9.1.4
> str2filter "(&(objectClass=auditWriteObject)(reqResult=0)(?=undefined))"
> put_filter: "(&(objectClass=auditWriteObject)(reqResult=0)(?=undefined))"
> put_filter: AND
> put_filter_list "(objectClass=auditWriteObject)(reqResult=0)(?=undefined)"
> put_filter: "(objectClass=auditWriteObject)"
> put_filter: simple
> put_simple_filter: "objectClass=auditWriteObject"
> put_filter: "(reqResult=0)"
> put_filter: simple
> put_simple_filter: "reqResult=0"
> put_filter: "(?=undefined)"
> put_filter: simple
> put_simple_filter: "?=undefined"
> ...
> conn=2 op=1 MOD dn="uid=fcswasey,ou=People,dc=uvm,dc=edu"
> conn=2 op=1 MOD attr=initials
> ...
> ==> hdb_add: reqStart=20060123154448.000001Z,cn=accesslog
> ...
> hdb_add: added id=0000392d dn="reqStart=20060123154448.000001Z,cn=accesslog"
> send_ldap_result: conn=2 op=1 p=3
> send_ldap_result: err=0 matched="" text=""
> => test_filter
> Segmentation fault
>
>
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/