[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6508) memberof segmentation fault



Full_Name: Neil Dunbar
Version: 2.4.21
OS: Debian 5, Ubuntu 9.10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (68.142.115.87)


Hi there,

It looks like there's a small bug in memberof.c - it only manifests itself when
"memberof_dangling" is set to "drop". I think that, while the overlay reduces
the a->a_vals and a->a_nvals array by one, to strip out a non-existent DN, it
needs to reduce the a->a_numvals variable as well.

The end result of this is that if one adds a group which has a mix of members
which exist in the DIT, and some which don't, the entry_encode() routing will
segfault. [I can only reproduce the segv in back-bdb and back-hdb. back-ldif
doesn't seem to exhibit this behaviour].

I've uploaded a tiny slapd.conf and test LDIF file (in
ftp://ftp.openldap.org/incoming/memberof-segv-20100407.tar.gz) which is normally
enough to trigger the fault. If one starts up slapd via

slapd -f mof-slapd.conf -h ldap://localhost -d trace

followed by

ldapmodify -x -H ldap://localhost -D cn=admin,dc=test -w adminpw -f
ldif/test-memberof.ldif

one should see an assertion fail in entry_encode() with (i == a->a_numvals)
failing.

The following patch seems to fix it, but I haven't done real regression testing
to see if it rolls other errors. The normal slapd unit tests seem to yield
proper results though.

---8<----8<------
--- memberof.c.orig     2010-04-07 16:49:44.000000000 -0700
+++ memberof.c  2010-04-07 16:49:20.000000000 -0700
@@ -580,6 +580,7 @@
                                                        sizeof( struct berval )
* ( j - i ) );
                                        }
                                        i--;
+                                       a->a_numvals--;
                                }
                        }
---8<----8<------

Hope this helps,

Neil