[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7580) autogroup module blowing slapd when using a labeledURI without attribute specification ?

With help from hbf on #openldap on irc, managed to track this down to autogroup.c:autogroup_member_search_cb().


In my usecase with labeledURI: ldap:///ou=people,dc=example,dc=org??one?(&(objectClass=inetOrgPerson)(o=myorg))

agf->agf_anlist is NULL since no attributes were specified, and the else branch
is taken. In that branch, the e_name & e_nname from rs->sr_entry are assigned
to lvals[0] & lnvals[0], and those two structs are local to the else branch.
Later on, they assigned to vals & nvals, but when you get out of the else
branch they're not in the scope anymore -> mod.sm_values & mod.sm_nvalues
potentially get garbage.

Declaring lvals & lnvals arrays outside of the branch (ie at the same spot as
vals & nvals) fixes the assert for me, tested on debian sid with rebuilt 2.4.31
packages, but the fix should probably be the same for git master.

Inline patch fixing the issue (probably mangled in the output....)

diff --git a/contrib/slapd-modules/autogroup/autogroup.c b/contrib/slapd-modules/autogroup/autogroup.c
index 06e1407..091a42f 100644
--- a/contrib/slapd-modules/autogroup/autogroup.c
+++ b/contrib/slapd-modules/autogroup/autogroup.c
@@ -331,6 +331,7 @@ autogroup_member_search_cb( Operation *op, SlapReply *rs )
                const char              *text = NULL;
                char                    textbuf[1024];
                struct berval           *vals, *nvals;
+               struct berval           lvals[ 2 ], lnvals[ 2 ];
                int                     numvals;
                Debug(LDAP_DEBUG_TRACE, "==> autogroup_member_search_cb <%s>\n",
@@ -347,7 +348,6 @@ autogroup_member_search_cb( Operation *op, SlapReply *rs )
                                return 0;
                } else {
-                       struct berval           lvals[ 2 ], lnvals[ 2 ];
                        lvals[ 0 ] = rs->sr_entry->e_name;
                        BER_BVZERO( &lvals[ 1 ] );
                        lnvals[ 0 ] = rs->sr_entry->e_nname;

Landry Breuil