[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7687) slapd with chaining dies on ManageDsaIT control

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7687) slapd with chaining dies on ManageDsaIT control
From: pierangelo.masarati@polimi.it
Date: Tue, 10 Sep 2013 19:43:37 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Thanks for the report; I have a quick fix, I'm testing it and will 
commit shortly.

p.

On 09/10/2013 09:14 PM, ck@cksoft.de wrote:
>    This message is in MIME format.  The first part should be readable text,
>    while the remaining parts are likely unreadable without MIME-aware tools.
>
> --4178219828-1091139785-1378839346=:6609
> Content-Type: TEXT/PLAIN; CHARSET=UTF-8; FORMAT=flowed
> Content-Transfer-Encoding: 8BIT
> Content-ID: <alpine.BSF.2.00.1309102056121.6609@pohjola.cksoft.de>
>
> Hi,
>
> On Tue, 10 Sep 2013, Michael StrÃ¶der wrote:
>
>> ck@cksoft.de wrote:
>>> we have a java application using JNDI that uses the password modify extended
>>> operation to change user passwords.
>>> [..]
>>> When running slapd with heavy logging we save the only difference to ldappasswd
>>> which works fine against our masters is that JNDI sets the ManageDsaIT by
>>> default.
>>
>> Of course slapd should never crash.
>
> yes of course not.  This opens an attack vector for shooting down the slapd to at least anyone who has bind access which is concerning me.
>
> Apart from that the customers problem is solved.  We just stopped sending the control.  A bit like Dr. Dr. it hurts when I Do this. Then why don't you stop doing it.
>
>> But strictly speaking the semantics of using ManageDsaIT control along with
>> password modify ext.op. is not specified - at least not in RFC 3062.
>
> yes. jndi sets the control by default.
>
>>From looking at the assert
>
>     slapd: chain.c:199: chaining_control_remove: Assertion `op->o_ctrls != ((void *)0)' failed.
>
> the comment in chain.c seems to hint at an overly simple assumption. But in understand too little of slapd internals and code flow:
>
>    188 static int
>    189 chaining_control_remove(
>    190                 Operation       *op,
>    191                 LDAPControl     ***oldctrlsp )
>    192 {
>    193         LDAPControl     **oldctrls = *oldctrlsp;
>    194
>    195         /* we assume that the first control is the chaining control
>    196          * added by the chain overlay, so it's the only one we explicitly
>    197          * free */
>    198         if ( op->o_ctrls != oldctrls ) {
>    199                 assert( op->o_ctrls != NULL );
>    200                 assert( op->o_ctrls[ 0 ] != NULL );
>    201
>    202                 free( op->o_ctrls );
>    203
>    204                 op->o_chaining = 0;
>    205                 op->o_ctrls = oldctrls;
>    206         }
>    207
>    208         *oldctrlsp = NULL;
>    209
>    210         return 0;
>    211 }
>
>
> Could it be as simple as walking the linked list and just removing the chaining control.
>
> Of course another strategy might be to filter anything but the chaining control up front.
>
> Greetings
> Christian
>
>>
>> Ciao, Michael.
>>
>>
>


-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano

Prev by Date: Re: (ITS#7687) slapd with chaining dies on ManageDsaIT control
Next by Date: (ITS#7691) syncrepl does not work with names start with depth
Index(es):
- Chronological
- Thread