[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
autoca SEGV with OpenSSL 1.1
The new autoca overlay is broken with OpenSSL 1.1 after fixing the code to
pull in the correct headers. Specifically, we get a segfault in the
OpenSSL's libcrypto. Looking at the docs, it appears the code is correct
on the OpenLDAP side of things? So perhaps a bug in OpenSSL (I'm using
1.1.0e, the latest release). Backtrace shows:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f797716d700 (LWP 8432)]
bn_wexpand (a=0x68134c60, words=1) at crypto/bn/bn_lib.c:1018
1018 return (words <= a->dmax) ? a : bn_expand2(a, words);
(gdb) bt full
#0 bn_wexpand (a=0x68134c60, words=1) at crypto/bn/bn_lib.c:1018
No locals.
#1 0x00007f797b1cd14e in BN_bin2bn (s=0x7f796824eff0
"\271ct\035\200T\330,\210", len=<optimized out>, ret=0x68134c60) at
crypto/bn/bn_lib.c:497
i = 1
m = 7
n = <optimized out>
l = <optimized out>
bn = <optimized out>
#2 0x00007f797b1d2e67 in bnrand (bottom=<optimized out>, top=0,
bits=<optimized out>, rnd=0x68134c60, pseudorand=<optimized out>) at
crypto/bn/bn_rand.c:83
buf = 0x7f796824eff0 "\271ct\035\200T\330,\210"
ret = <optimized out>
bit = <optimized out>
bytes = 8
mask = <optimized out>
tim = 1492622208
#3 bnrand (pseudorand=<optimized out>, rnd=0x68134c60, bits=<optimized
out>, top=0, bottom=<optimized out>) at crypto/bn/bn_rand.c:17
No locals.
#4 0x00007f797597a1a8 in autoca_gencert (op=0x7f797716a9d0,
args=0x7f797716a8e0) at autoca.c:319
bn = 0x68134c60
subj_name = 0x7f7968134a20
issuer_name = 0x7f797716a9d0
subj_cert = 0x7f79681344d0
derdn = {bv_len = 48,
bv_val = 0x7f79680030d8
"\035;\261\323\363\256\250\257\024\357^\353\367feaN\202\355UE\363\nY\255\217r\v\254\a\333\025\331\325\372E`\302\217S\tL\t`\003\261\005\233\372{\223\351\231=Z\361\362<\343\352\250j\262\024\256\344[^\237\224t\\qF\262\272\235\b$\306R\211\335^\364\024\377\063C\\5\314\330T\fyM\237B\366\311a\254\231\034\353*\224\275\240u\266W&T\255\021\202j"}
pp = 0x7f7968003408 "\020"
evpk = 0x7f7968134d20
rc = 1
#5 0x00007f797597c3d3 in autoca_db_open (be=0x7f7968001a90,
cr=0x7f797716c414) at autoca.c:1037
args = {issuer_cert = 0x0, issuer_pkey = 0x0, subjectDN =
0x7f796810c370, cert_exts = 0x7f7975b7e380, more_exts = 0x0, newcert =
0x7f797716aa00, newpkey = 0x7f7968134d20,
dercert = {bv_len = 140159726786010, bv_val = 0x7f79ffffffff
<Address 0x7f79ffffffff out of bounds>}, derpkey = {bv_len = 1216, bv_val =
0x7f7968002f48 "0\202\004\274\002\001"},
keybits = 2048, days = 3652}
arg2 = {oc = 0x3c, dercert = 0x7f797aba208e, derpkey =
0x7f797aee1180, on = 0x3c, dn = 0x7f797716aa00, ndn = 0x7f797716d9c0, isca
= 4}
gotoc = 0
gotat = 0
on = 0x7f7968133e00
ai = 0x7f796824a6a0
conn = {c_struct_state = SLAP_C_UNINITIALIZED, c_conn_state =
SLAP_C_INVALID, c_conn_idx = -1, c_sd = 0, c_close_reason = 0x0, c_mutex =
{__data = {__lock = 0, __count = 0,
__owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list =
{__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align
= 0}, c_sb = 0x0, c_starttime = 0,
c_activitytime = 0, c_connid = 18446744073709551615,
c_peer_domain = {bv_len = 0, bv_val = 0x5073c0 ""}, c_peer_name = {bv_len =
0, bv_val = 0x5073c0 ""}, c_listener = 0x50fe80,
c_sasl_bind_mech = {bv_len = 0, bv_val = 0x0}, c_sasl_dn =
{bv_len = 0, bv_val = 0x0}, c_sasl_authz_dn = {bv_len = 0, bv_val = 0x0},
c_authz_backend = 0x0, c_authz_cookie = 0x0,
c_authz = {sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0},
sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0},
sai_ssf = 0, sai_transport_ssf = 0,
sai_tls_ssf = 0, sai_sasl_ssf = 0}, c_protocol = 0, c_ops =
{stqh_first = 0x0, stqh_last = 0x0}, c_pending_ops = {stqh_first = 0x0,
stqh_last = 0x0}, c_write1_mutex = {
__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0,
__kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size =
'\000' <repeats 39 times>,
__align = 0}, c_write1_cv = {__data = {__lock = 0, __futex = 0,
__total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex = 0x0,
__nwaiters = 0, __broadcast_seq = 0},
__size = '\000' <repeats 47 times>, __align = 0},
c_write2_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers
= 0, __kind = 0, __spins = 0, __list = {
__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39
times>, __align = 0}, c_write2_cv = {__data = {__lock = 0, __futex = 0,
__total_seq = 0, __wakeup_seq = 0,
__woken_seq = 0, __mutex = 0x0, __nwaiters = 0,
__broadcast_seq = 0}, __size = '\000' <repeats 47 times>, __align = 0},
c_currentber = 0x0, c_writers = 0,
c_writing = 0 '\000', c_sasl_bind_in_progress = 0 '\000',
c_writewaiter = 0 '\000', c_is_tls = 0 '\000', c_needs_tls_accept = 0
'\000', c_sasl_layers = 0 '\000',
c_sasl_done = 0 '\000', c_sasl_authctx = 0x0, c_sasl_sockctx =
0x0, c_sasl_extra = 0x0, c_sasl_cbind = 0x0, c_sasl_bindop = 0x0, c_txn =
0, c_txn_backend = 0x0, c_txn_ops = {
stqh_first = 0x0, stqh_last = 0x0}, c_pagedresults_state =
{ps_be = 0x0, ps_size = 0, ps_count = 0, ps_cookie = 0, ps_cookieval =
{bv_len = 0, bv_val = 0x0}},
c_n_ops_received = 0, c_n_ops_executing = 0, c_n_ops_pending = 0,
c_n_ops_completed = 0, c_n_get = 0, c_n_read = 0, c_n_write = 0,
c_extensions = 0x0, c_clientfunc = 0,
c_clientarg = 0x0, c_send_ldap_result = 0x457014
<slap_send_ldap_result+224>, c_send_search_entry = 0x45806a
<slap_send_search_entry+224>,
c_send_search_reference = 0x45a327
<slap_send_search_reference+224>, c_send_ldap_extended = 0x457b0b
<slap_send_ldap_extended+224>,
c_send_ldap_intermediate = 0x457e55
<slap_send_ldap_intermediate+224>}
opbuf = {ob_op = {o_hdr = 0x7f797716ab50, o_tag = 0, o_time =
1492622208, o_tincr = 22, o_tusec = 614988, o_qtime = {tv_sec = 0, tv_usec
= 0}, o_bd = 0x7f7968001a90, o_req_dn = {
bv_len = 0, bv_val = 0x0}, o_req_ndn = {bv_len = 0, bv_val =
0x0}, o_request = {oq_add = {rs_modlist = 0x0, rs_e = 0x0}, oq_bind =
{rb_method = 0, rb_cred = {bv_len = 0,
bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0},
rb_ssf = 0, rb_mech = {bv_len = 0, bv_val = 0x0}}, oq_compare = {rs_ava =
0x0}, oq_modify = {rs_mods = {
rs_modlist = 0x0, rs_no_opattrs = 0 '\000'}, rs_increment
= 0}, oq_modrdn = {rs_mods = {rs_modlist = 0x0, rs_no_opattrs = 0 '\000'},
rs_deleteoldrdn = 0, rs_newrdn = {
bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0,
bv_val = 0x0}, rs_newSup = 0x0, rs_nnewSup = 0x0}, oq_search = {rs_scope =
0, rs_deref = 0, rs_slimit = 0,
rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly = 0, rs_attrs =
0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val = 0x0}},
oq_abandon = {rs_msgid = 0}, oq_cancel = {
rs_msgid = 0}, oq_extended = {rs_reqoid = {bv_len = 0,
bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, oq_pwdexop = {rs_extended =
{rs_reqoid = {bv_len = 0, bv_val = 0x0},
rs_flags = 0, rs_reqdata = 0x0}, rs_old = {bv_len = 0,
bv_val = 0x0}, rs_new = {bv_len = 0, bv_val = 0x0}, rs_mods = 0x0,
rs_modtail = 0x0}}, o_abandon = 0,
o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000',
o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000', o_acl_priv =
ACL_NONE, o_nocaching = 0 '\000',
o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000',
o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 times>,
o_controls = 0x7f797716ac98,
o_authz = {sai_method = 0, sai_mech = {bv_len = 0, bv_val =
0x0}, sai_dn = {bv_len = 28, bv_val = 0x7f7968109640
"cn=Manager,dc=example,dc=com"}, sai_ndn = {bv_len = 28,
bv_val = 0x7f7968104150 "cn=manager,dc=example,dc=com"},
sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 0},
o_ber = 0x0, o_res_ber = 0x0,
o_callback = 0x0, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val =
0x0}, o_private = 0x0, o_extra = {slh_first = 0x0}, o_next = {stqe_next =
0x0}}, ob_hdr = {oh_opid = 0,
oh_connid = 18446744073709551615, oh_conn = 0x7f797716ada0,
oh_msgid = 0, oh_protocol = 0, oh_tid = 140159665755904, oh_threadctx =
0x7f797716cb80,
oh_tmpmemctx = 0x7f7968002bb0, oh_tmpmfuncs = 0x76eb20,
oh_counters = 0x7721a0, oh_log_prefix = "conn=-1 op=0", '\000' <repeats 243
times>}, ob_controls = {
0x0 <repeats 32 times>}}
op = 0x7f797716a9d0
thrctx = 0x7f797716cb80
e = 0x18cbed8
a = 0x7f797716aec0
rc = 0
#6 0x000000000042659f in config_add_internal (cfb=0x76f860,
e=0x7f796814ad78, ca=0x7f797716b3c0, rs=0x7f797716ca40,
renum=0x7f797716b3b4, op=0x7f7968002670) at bconfig.c:5536
ce = 0x0
last = 0x7f7968137850
co = {co_def = 0x7f797716b200 "\017", co_type = 1747231856,
co_table = 0x7f7968002bb0, co_ldadd = 0x7f796824a470, co_cfadd =
0x7f797716b120,
co_lddel = 0x7f797bbdc476 <ber_dupbv+40>, co_oc = 0x7f797716b200,
co_name = 0x7f7968134400}
coptr = 0x768e40
colst = 0x7f796824a4c0
a = 0x0
oc_at = 0x7f7968162378
soc_at = 0x7f79681622e8
i = 1
ibase = 0
nocs = 3
rc = 0
pdn = {bv_len = 28, bv_val = 0x7f796813c432
"olcDatabase={1}bdb,cn=config"}
ct = 0x0
ptr = 0x7f7968249a62 "}autoca"
log_prefix = 0x7f7968002838 "conn=1008 op=1"
#7 0x0000000000427081 in config_back_add (op=0x7f7968002670,
rs=0x7f797716ca40) at bconfig.c:5749
ce = 0x7f797716b3e0
addr = {rs_modlist = 0x9, rs_e = 0x7f796813bd90}
cfb = 0x76f860
renumber = 0
dopause = 1
ca = {argc = 2, argv = 0x7f796824a7f0, argv_size = 513, line =
0x7f796812f7a0 "cn=localhost,ou=Servers,dc=example,dc=com", tline =
0x7f796824b800 "", fname = 0x50c925 "slapd",
lineno = 0, linelen = 41, log = "olcACAlocalDN: value #0", '\000'
<repeats 4100 times>, reply = {err = 0, msg = '\000' <repeats 255 times>},
depth = 0, valx = 0, values = {
v_int = 41, v_uint = 41, v_long = 41, v_ulong = 41, v_ber_t =
41, v_string = 0x29 <Address 0x29 out of bounds>, v_bv = {bv_len = 41,
bv_val = 0x7f796824a340
"cn=localhost,ou=Servers,dc=example,dc=com"}, v_dn = {vdn_dn = {bv_len =
41, bv_val = 0x7f796824a340 "cn=localhost,ou=Servers,dc=example,dc=com"},
vdn_ndn = {bv_len = 41, bv_val = 0x7f796812f730
"cn=localhost,ou=servers,dc=example,dc=com"}}, v_ad = 0x29}, rvalue_vals =
0x0, rvalue_nvals = 0x0, op = 0, type = 9,
ca_op = 0x7f7968002670, be = 0x7f7968001a90, bi = 0x7f7968133e00,
ca_entry = 0x0, ca_private = 0x0, cleanup = 0, table = Cft_Overlay}
#8 0x0000000000449e01 in fe_op_add (op=0x7f7968002670, rs=0x7f797716ca40)
at add.c:356
defref = 0xffffffffffffffff
repl_user = 0
modtail = 0x7f796824e170
rc = 0
op_be = 0x18cb6f0
bd = 0x771660
textbuf =
"`\275\023hy\177\000\000\320\375\210\001\000\000\000\000\000D\023hy\177\000\000%{F\000\000\000\000\000\220\307\026wy\177",
'\000' <repeats 18 times>"\320,
\307\026wy\177\000\000`\275\023hy\177\000\000\360'\000hy\177\000\000\220\307\026wy\177\000\000`\274\226wy\177\000\000\300\331\026wy\177\000\000\346L\337{y\177\000\000\a\000\000\000\000\000\000\000`\nw\000\000\000\000\000\260\307\026wy\177\000\000b\277D\000\000\000\000\000\020\310\026wy\177\000\000
\335$hy\177\000\000
\335$hy\177\000\000\030#\026hy\177\000\000\020\310\026wy\177\000\000{\244D",
'\000' <repeats 13 times>,
"\020\311\026wy\177\000\000`\312\026wy\177\000\000\000\000\000\000\001\000\000\000\320&\000hy\177\000\000\000\000\000\000\000\000\000\000"...
textlen = 256
__PRETTY_FUNCTION__ = "esc != ((v"
#9 0x000000000044967e in do_add (op=0x7f7968002670, rs=0x7f797716ca40) at
add.c:205
bd = 0x7f797716c960
ber = 0x7f796c104f70
last = 0x7f796824a2a0 ""
dn = {bv_len = 46, bv_val = 0x7f796824a1e8
"olcOverlay=autoca,olcDatabase={1}bdb,cn=config"}
len = 60
tag = 18446744073709551615
modlist = 0x7f796813bbc0
modtail = 0x7f796824e170
tmp = {sml_mod = {sm_desc = 0x7f7968133b7f, sm_values =
0x7f796813bd60, sm_nvalues = 0x0, sm_numvals = 0, sm_op = 0, sm_flags = 0,
sm_type = {bv_len = 13,
bv_val = 0x7f796824a266 "olcACAlocalDN"}}, sml_next = 0x0}
textbuf =
"\177;\023hy\177\000\000\360\067\022ly\177\000\000\a\000\000\000\000\000\000\000\377\377\377\377\377\377\377\377\300\311\026wy\177\000\000\223\252\275{y\177\000\000P\000\000\000\000\000\000\000p;\023hy\177\000\000\260+\000hy\177",
'\000' <repeats 18 times>"\260,
+\000hy\177\000\000+|K\000\000\000\000\000\200\313\026wy\177\000\000\200\313\026wy\177\000\000\376\241\275{\001\000\000\000
\312\026wy\177\000\000\n}K\000\000\000\000\000\001\000\000\000\002\000\000\000\200\313\026wy\177\000\000\001\000\000\000\001\000\000\000\000\000\020",
'\000' <repeats 13 times>"\260,
+\000hy\177\000\000\260+\000hy\177\000\000\200\313\026wy\177\000\000\360+\000hy\177\000\000_\036{\257\000\000\000\000
\312\026wy\177\000\000\v\371C\000\000\000\000\000\200\313\026wy\177\000\000\346"...
textlen = 256
rc = 0
freevals = 0
oex = {oe = {oe_next = {sle_next = 0x0}, oe_key = 0x448988}, oe_db
= 0x0}
#10 0x000000000043fe42 in connection_operation (ctx=0x7f797716cb80,
arg_v=0x7f7968002670) at connection.c:1163
rc = 80
cancel = 152257809
op = 0x7f7968002670
rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un =
{sru_search = {r_entry = 0x0,
r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0,
r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0}, sru_extended
= {r_rspoid = 0x0, r_rspdata = 0x0}},
sr_flags = 0}
tag = 104
opidx = SLAP_OP_ADD
conn = 0x18f9e10
memctx = 0x7f7968002bb0
memctx_null = 0x0
memsiz = 1048576
__PRETTY_FUNCTION__ = "on_write(%ld): no con"
#11 0x00000000004403ea in connection_read_activate (s=0) at
connection.c:1321
rc = 32633
#12 0x0000000000000008 in ?? ()
No symbol table info available.
#13 0x00007f797716cb80 in ?? ()
No symbol table info available.
#14 0x00007f7968002670 in ?? ()
No symbol table info available.
#15 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>