Bug 1461437
Summary: | crash in send_ldap_result | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | German Parente <gparente> | |
Component: | 389-ds-base | Assignee: | mreynolds | |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.4 | CC: | msauton, nkinder, rmeggins, tbordaz | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | 389-ds-base-1.3.7.5-4.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1489694 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-10 14:16:50 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1489694 |
Description
German Parente
2017-06-14 12:55:29 UTC
Upstream ticket https://pagure.io/389-ds-base/issue/49291 upstream slapi-nis ticket https://pagure.io/slapi-nis/issue/16 (improve robustness of slapi-nis) upstream slapi-nis ticket https://pagure.io/slapi-nis/issue/17 (format_add_sdn_list was called with empty sdn) As a follow up of investigations of https://pagure.io/slapi-nis/issue/17 - Because base_sdn_list and base_sdn_list2 contains the same SDN with NULL DN we know the NULL DN was added by calling format_add_sdn_list. - The NULL DN SDN was the last SDN of base_sdn_list, so it was append to the list - format_add_sdn_list is call in several places backend_shr_update_references_cb backend_shr_note_entry_sdn_cb format_referred_r_entry_cb format_maybe_add_sdn_list format_deref_rx format_referred_r - In backend_shr_update_references_cb: backend_shr_update_references_cb was not called with an entry with NULL dn In fact, 'cn=groups' maps contains a 'ignore_subtree' array. In such condition the entry DN is tested and if it is NULL, backend_shr_update_references_cb exits before calling format_add_sdn_list. (gdb) print *(struct backend_shr_set_data *) backend_data $2 = {state = 0x7fa57b585a30, group = 0x7fa521a75df0 "cn=compat,<suffix>", set = 0x7fa5238e28a0 "cn=groups", bases = 0x7fa5238ea0c0, entry_filter = 0x7fa520008220 "(objectclass=posixGroup)", rel_attrs = 0x7fa523eae650, rel_attr_list = 0x7fa528007860 "cn,ipaanchoruuid,gidNumber,memberUid,ipauniqueid,member,uid", rel_attrs_list = 0x7fa523eae650, ref_attrs = 0x0, inref_attrs = 0x0, ref_attr_list = 0x7fa510582480, inref_attr_list = 0x0, skip_uninteresting_updates = 1, (gdb) print *((struct backend_shr_set_data *) backend_data)->ignore_subtrees[0] $5 = {flag = 7 '\a', udn = 0x0, dn = 0x7fa521a53330 "cn=tasks,cn=config", ndn = 0x7fa510f8b240 "cn=tasks,cn=config", ndn_len = 18} (gdb) print *((struct backend_shr_set_data *) backend_data)->ignore_subtrees[1] Cannot access memory at address 0x0 So the NULL DN SDN was not added by backend_shr_update_references_cb - In backend_shr_note_entry_sdn_cb backend_shr_note_entry_sdn_cb is a callback of a search function. A NULL dn entry does not exist. An internal search would not call backend_shr_note_entry_sdn_cb with an NULL DN entry - In format_referred_r_entry_cb Idem as above - In format_maybe_add_sdn_list It does not call format_add_sdn_list on NULL dn entry - format_deref_rx This is possible when looping over parents entries - format_referred_r This is possible if backend_get_set_config can return NULL DN SDN if it is call with an entry containing NULL DN In conclusion: The most probable place to introduce NULL DN SDN in the list are format_deref_rx (while looping other parents) format_referred_r (backend_get_set_config / called with NULL DN entry) Hi Viktor, Unfortunately I think the easiest way to reproduce is to use/configure slapi-nis. We need to have a plugin that triggers an internal search with a base search that is SDN containing a NULL DN. I do not know if using slapi-nis is an acceptable option to test that bug. If it is you can use the test case described in https://pagure.io/slapi-nis/issue/17 (having a group with members (member attribute) with one of the 'member' value being empty). If it is not acceptable I will need to dig in our standard plugins to check if one of them is doing an internal search without checking the base search SDN. Builds tested: 389-ds-base-1.3.7.5-10.el7.x86_64 slapi-nis-0.56.0-7.el7.x86_64 [1] To verify I configured slapi-nis plugin: # ldapadd -D "cn=Directory Manager" -w Secret123 dn: cn=NIS Server,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: NIS Server nsslapd-pluginPath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so nsslapd-pluginInitfunc: nis_plugin_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-pluginDescription: NIS Server Plugin nsslapd-pluginVendor: redhat.com nsslapd-pluginVersion: 0.56 (betxn support available and enabled by default) nsslapd-pluginId: nis-plugin nis-tcp-wrappers-name: ypserv nsslapd-pluginarg0: 541 dn: nis-domain=example.com+nis-map=groups,cn=NIS Server,cn=plugins,cn=config objectClass: extensibleObject objectClass: top nis-domain: example.com nis-map: groups nis-base: ou=Groups, dc=example, dc=com nis-filter: (objectClass=groupOfNames) nis-key-format: %{cn} nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") adding new entry "cn=NIS Server,cn=plugins,cn=config" adding new entry "nis-domain=example.com+nis-map=groups,cn=NIS Server,cn=plugins,cn=config" [2] Added test entries: # ldapadd -D "cn=Directory Manager" -w Secret123 dn: cn=tuser,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: organizationalPerson objectClass: top objectClass: person cn: tuser sn: tuser uid: tuser gidNumber: 2000 homeDirectory: /home/tuser uidNumber: 2000 dn: cn=tgroup,ou=Groups,dc=example,dc=com objectClass: groupofnames objectClass: top cn: tgroup member: member: cn=tuser,ou=People,dc=example,dc=com adding new entry "cn=tuser,ou=People,dc=example,dc=com" adding new entry "cn=tgroup,ou=Groups,dc=example,dc=com" [3] Removed empty member attribute without server crashing: # ldapmodify -D "cn=Directory Manager" -w Secret123 dn: cn=tgroup,ou=Groups,dc=example,dc=com changetype: modify replace: member member: cn=tuser,ou=People,dc=example,dc=com modifying entry "cn=tgroup,ou=Groups,dc=example,dc=com" Marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0811 |