Bug 1109334

Summary: 389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled.
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: nkinder, rmeggins, vashirov
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7 Doc Type: Bug Fix
Doc Text:
Cause: MemberOf plugin code assumes the DN value has the correct syntax, and does not check the normalized value of that DN. Consequence: This leads to dereferencing a NULL pointer and crash. Fix: Check the normalized value, and log a proper error. Result: Invalid DN does not cause the crash and it is logged in the error log.
 Story Points: ---
Clone Of: 1109333 Environment:
Last Closed: 2015-03-05 09:35:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1109333    
Bug Blocks:    

Description Noriko Hosoi 2014-06-13 17:16:06 UTC 
+++ This bug was initially created as a clone of Bug #1109333 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47793

Attempting to add a uniqueMember to a group of type groupOfUniqueNames crashes the server if syntax checking is off.

Steps to recreate:
1. Enable memberofplugin with memberofgroupattr=uniqueMember and memberofattr=memberOf.  (Requires server restart)
2. Disable syntax checking: in cn=cn=config, attribute nsslapd-syntaxcheck=off
3. In any groupOfUniqueName group, add an invalid uniqueMember such as cn=test,null,dc=will,dc=crash
Comment 1 Noriko Hosoi 2014-07-09 21:40:00 UTC 
Steps to verify:
Description in https://fedorahosted.org/389/ticket/47793
Comment 3 Viktor Ashirov 2014-11-21 16:13:30 UTC 
$ rpm -qa | grep 389
389-ds-base-1.3.3.1-9.el7.x86_64
389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64
389-ds-base-libs-1.3.3.1-9.el7.x86_64

$ ldapmodify -D 'cn=Directory Manager' -w Secret123  -H ldap://localhost:389  << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-syntaxcheck
> nsslapd-syntaxcheck: off
> -
> 
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> changetype: modify
> replace: memberofgroupattr
> memberofgroupattr: member
> memberofgroupattr: uniqueMember
> -
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> -
> EOF
modifying entry "cn=config"

modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"

$ ldapadd -D 'cn=Directory Manager' -w Secret123  -H ldap://localhost:389  << EOF
> dn: cn=memberofgroup,ou=Groups,dc=example,dc=com
> objectClass: groupofuniquenames
> objectClass: top
> cn: memberofgroup
> EOF
adding new entry "cn=memberofgroup,ou=Groups,dc=example,dc=com"

$ ldapmodify -D 'cn=Directory Manager' -w Secret123  -H ldap://localhost:389  << EOF
> dn: cn=memberofgroup,ou=Groups,dc=example,dc=com
> changetype: modify
> add: uniqueMember
> uniqueMember: cn=test,null,dc=will,dc=crash
> -
> EOF
modifying entry "cn=memberofgroup,ou=Groups,dc=example,dc=com"

$ pgrep ns-slapd
7723

Server keeps running. On affected version of 389-ds-base ns-slapd would crash. 
Hence marking as verified.
Comment 5 errata-xmlrpc 2015-03-05 09:35:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html