[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#9128) Fix for slapd-mdb start Bus Error in strchrlen

To: openldap-its@OpenLDAP.org
Subject: (ITS#9128) Fix for slapd-mdb start Bus Error in strchrlen
From: requate@univention.de
Date: Tue, 03 Dec 2019 22:46:48 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Arvid Requate
Version: 2.4.45
OS: UCS / Debian Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (92.210.162.23)


In our CI tests we observed a situation where the slapd-mdb failed to start,
terminating due to a "bus error" and slapcat showed the same behaviour. I turned
out that the data.mdb file had an "Attribute;option" string right at the end of
it and strchrlen tried to access a memory location past the end of the page
while scanning for another ';', see stack trace down below.

This patch fixed the issue for us:
=========================================================
Author: Arvid Requate <requate@univention.de>
Date:   Tue Dec 3 23:33:10 2019 +0100

    Avoid bus error with slapd-mdb/slapcat

diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
index 801f18d34..31a94a725 100644
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@@ -145,7 +145,7 @@ static char *strchrlen(
 {
        const char *p;
 
-       for( p=beg; *p && p < end; p++ ) {
+       for( p=beg; p < end && *p; p++ ) {
                if( *p == ch ) {
                        *len = p - beg;
                        return (char *) p;
=========================================================

This is the stack trace:
=========================================================
$ gdb slapcat
 bt
#0  0x00005555555d0dc4 in strchrlen (len=<synthetic pointer>, ch=59 ';',
end=0x7fff6bd62000 <error: Cannot access memory at address 0x7fff6bd62000>, 
    beg=0x7fff6bd61ff5 "entry-de-de"<error: Cannot access memory at address
0x7fff6bd62000>) at ../../../../servers/slapd/ad.c:148
#1  slap_bv2ad (bv=bv@entry=0x7fffffffdbe0, ad=ad@entry=0x7fffffffdbb8,
text=text@entry=0x7fffffffdbb0) at ../../../../servers/slapd/ad.c:224
#2  0x00007fffee70e043 in mdb_ad_read (mdb=mdb@entry=0x555555a58240,
txn=<optimized out>) at ../../../../../servers/slapd/back-mdb/attr.c:573
#3  0x00007fffee6fe4ad in mdb_db_open (be=0x7fffffffdd90, cr=0x7fffffffdf80) at
../../../../../servers/slapd/back-mdb/init.c:263
#4  0x00005555555fa601 in over_db_open (be=<optimized out>, cr=0x7fffffffdf80)
at ../../../../servers/slapd/backover.c:149
#5  0x000055555559a317 in backend_startup_one (be=be@entry=0x555555a580a0,
cr=cr@entry=0x7fffffffdf80) at ../../../../servers/slapd/backend.c:224
#6  0x000055555559a4cb in backend_startup (be=be@entry=0x555555a580a0) at
../../../../servers/slapd/backend.c:278
#7  0x00005555555bc0e1 in slap_startup (be=0x555555a580a0) at
../../../../servers/slapd/init.c:219
#8  0x00005555555ffc84 in slap_tool_init (progname=progname@entry=0x55555561d2c1
"slapcat", tool=tool@entry=2, argc=<optimized out>, argv=<optimized out>) at
../../../../servers/slapd/slapcommon.c:908
#9  0x00005555555fec90 in slapcat (argc=<optimized out>, argv=<optimized out>)
at ../../../../servers/slapd/slapcat.c:53
#10 0x0000555555570867 in main (argc=1, argv=0x7fffffffe568) at
../../../../servers/slapd/main.c:410
=========================================================

Prev by Date: Re[2]: (ITS#9127) memory leak in mdb_entry_decode()
Next by Date: Re: (ITS#9128) Fix for slapd-mdb start Bus Error in strchrlen
Index(es):
- Chronological
- Thread