[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4364) syncrepl consumer logfilter can cause DOS on provider
Thank you! I tracked down the changes and applied them to the 2.3.18
source and tests show that the syncrepl provider stays running.
Frank
On 1/23/06 2:58 PM, Howard Chu wrote:
> This is now fixed in CVS HEAD, thanks for the report.
>
> Frank.Swasey@uvm.edu wrote:
>> Full_Name: Francis Swasey
>> Version: 2.3.18
>> OS: Red Hat Enterprise Linux v4
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (132.198.45.127)
>>
>>
>> Defining a logfilter which is illegal (such as the following:
>>
>> logfilter="(&(objectclass=auditWriteObject)(reqResult=0)(reqDN=*,dc=edu))"
>>
>>
>> ) will cause the syncrepl provider using the accesslog overlay to log the
>> illegal filter and upon the first update the send_ldap_result
>> attempting to send
>> the information to the consumer will cause a segmentation fault.
>>
>> Here is an excerpt from the typescript of running slapd -d -1 on the
>> provider to
>> demonstrate:
>>
>> conn=1 op=1 SRCH base="cn=accesslog" scope=2 deref=0
>> filter="(&(objectClass=audi
>> tWriteObject)(reqResult=0)(?=undefined))"
>> conn=1 op=1 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN
>> reqNewSuper
>> ior entryCSN
>> slap_global_control: unavailable control: 1.3.6.1.4.1.4203.1.9.1.1
>> ==> limits_get: conn=1 op=1 dn="cn=syncuser,dc=uvm,dc=edu"
>> <== limits_get: type=DN match=EXACT dn="cn=syncuser,dc=uvm,dc=edu"
>> => hdb_search
>> bdb_dn2entry("cn=accesslog")
>> base_candidates: base: "cn=accesslog" (0x00000001)
>> => test_filter
>> PRESENT
>> => access_allowed: search access to "cn=accesslog" "objectClass"
>> requested
>> => acl_get: [1] attr objectClass
>> => acl_mask: access to entry "cn=accesslog", attr "objectClass" requested
>> => acl_mask: to all values by "cn=syncuser,dc=uvm,dc=edu", (=0) <=
>> check a_dn_pat: cn=replicator,dc=uvm,dc=edu
>> <= check a_dn_pat: cn=syncuser,dc=uvm,dc=edu
>> <= acl_mask: [2] applying read(=rscxd) (stop)
>> <= acl_mask: [2] mask: read(=rscxd)
>> => access_allowed: search access granted by read(=rscxd)
>> <= test_filter 6
>> send_ldap_result: conn=1 op=1 p=3
>> send_ldap_result: err=0 matched="" text=""
>> send_ldap_result: conn=1 op=1 p=3
>> send_ldap_result: err=0 matched="" text=""
>> send_ldap_intermediate: err=0 oid=1.3.6.1.4.1.4203.1.9.1.4 len=48
>> send_ldap_response: msgid=2 tag=121 err=0
>> ber_flush: 83 bytes to sd 21
>> ...
>> conn=1 op=1 INTERM oid=1.3.6.1.4.1.4203.1.9.1.4
>> str2filter "(&(objectClass=auditWriteObject)(reqResult=0)(?=undefined))"
>> put_filter: "(&(objectClass=auditWriteObject)(reqResult=0)(?=undefined))"
>> put_filter: AND
>> put_filter_list
>> "(objectClass=auditWriteObject)(reqResult=0)(?=undefined)"
>> put_filter: "(objectClass=auditWriteObject)"
>> put_filter: simple
>> put_simple_filter: "objectClass=auditWriteObject"
>> put_filter: "(reqResult=0)"
>> put_filter: simple
>> put_simple_filter: "reqResult=0"
>> put_filter: "(?=undefined)"
>> put_filter: simple
>> put_simple_filter: "?=undefined"
>> ...
>> conn=2 op=1 MOD dn="uid=fcswasey,ou=People,dc=uvm,dc=edu"
>> conn=2 op=1 MOD attr=initials
>> ...
>> ==> hdb_add: reqStart=20060123154448.000001Z,cn=accesslog
>> ...
>> hdb_add: added id=0000392d
>> dn="reqStart=20060123154448.000001Z,cn=accesslog"
>> send_ldap_result: conn=2 op=1 p=3
>> send_ldap_result: err=0 matched="" text=""
>> => test_filter
>> Segmentation fault
>>
>>
>>
>
>
--
Frank Swasey | http://www.uvm.edu/~fcs
Senior IT Professional | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)