[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
2.4.44 reproducible segfault via ldap search operation
- To: openldap-technical@openldap.org
- Subject: 2.4.44 reproducible segfault via ldap search operation
- From: Karsten Heymann <karsten.heymann@gmail.com>
- Date: Tue, 16 May 2017 13:21:31 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=psqKcNm1L43s8ixOeOvTULH8RwNzcj2tdWN20RqKsl4=; b=qM+Qh6XX7+oyFg5/LekJXbsviDqfXrJRo1+eu19n+3V7kxyfM5lb2IUkUfDlAYbHfG rVDLFpmN3SUuOKiUkyaqnh57t0RdzpggIdjdjPha2WZBfrC3Hp8n4UKB9nZEUKLVN5ho QIih3Z4wNd7m44t5t2ftgcw0Yqyjjh+xrpueebbOvkewmzhVI2hc8HnkTdX3s4NUBUxU 0eLPtx5Gk4kUiPWm959MjmSIvPmxnfN15Qd5KiBvWI3XZ4qAD5izcW2s8AD9mNr58bLc KEomjAa0ivpjeBgAO6RXX/vujxP3CRl+SjeE2Xyqq2xLx43T1jShkoRnBrbkGuxF95a3 wF+w==
Hi,
some hours ago I found a way to instantly kill our (production -sigh-
) slapd processed with a simple unauthenticated ldap search operation.
We are running 2.4.40 (from debian wheezy-backports) in production but
I was able to reproduce exactly the same behaviour with 2.4.44 (taken
from debian jessie-backports). While I'm building a minimal testcase
without internal information so I can provide it to the project (are
there more bug submission guidelines than
http://www.openldap.org/faq/data/cache/59.html ?), I wanted to ask how
you want me to handle this in my eyes quite serious incident. Should I
just post it to the mailing list or do you prefer a non-public
transmission first so the bug does not get exploited in a denial of
service use case before you had the chance to come up with a fix? I
will also try to verify if the problem is still existing in the
current git master or self compiled 2.4.44.
Best regards,
Karsten